guloader | d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25FC004658_Femetagershusenes.exe
Size

601KB
MD5

77221f5f2a4984872389759b83446a62
SHA1

07c1d4795c8ec52dff45be198abde62c331ded59
SHA256

d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588
SHA512

bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485
SSDEEP

12288:SDGg/i9HZmS7DpP5AkavuzLiB5Puhrxk/8872b5GmledTRfSCG+sQCVv:jD5PUkwuKB8rxk0omle3VG+shVv

Score

10^/10

guloader remcos parosh new discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PAROSH NEW

parosh.didns.ru:3011

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
polshmy
keylog_path
%AppData%
mouse_option
false
mutex
psh983mn-LGLX6H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 8 IoCs

pid	Process
3260	Funktionsafprvningerne.exe
684	Funktionsafprvningerne.exe
1740	Funktionsafprvningerne.exe
1844	Funktionsafprvningerne.exe
3260	Funktionsafprvningerne.exe
4912	Funktionsafprvningerne.exe
3132	Funktionsafprvningerne.exe
4240	Funktionsafprvningerne.exe

Loads dropped DLL 9 IoCs

pid	Process
5468	25FC004658_Femetagershusenes.exe
3260	Funktionsafprvningerne.exe
684	Funktionsafprvningerne.exe
1740	Funktionsafprvningerne.exe
1844	Funktionsafprvningerne.exe
3260	Funktionsafprvningerne.exe
4912	Funktionsafprvningerne.exe
3132	Funktionsafprvningerne.exe
4240	Funktionsafprvningerne.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe

Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs

pid	Process
2596	IMCCPHR.exe
3556	IMCCPHR.exe
1848	IMCCPHR.exe
5660	IMCCPHR.exe
1396	IMCCPHR.exe
6012	IMCCPHR.exe
5704	IMCCPHR.exe
5360	IMCCPHR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
5468	25FC004658_Femetagershusenes.exe
2596	IMCCPHR.exe
3260	Funktionsafprvningerne.exe
3556	IMCCPHR.exe
684	Funktionsafprvningerne.exe
1848	IMCCPHR.exe
1740	Funktionsafprvningerne.exe
5660	IMCCPHR.exe
1844	Funktionsafprvningerne.exe
1396	IMCCPHR.exe
3260	Funktionsafprvningerne.exe
6012	IMCCPHR.exe
4912	Funktionsafprvningerne.exe
5704	IMCCPHR.exe
3132	Funktionsafprvningerne.exe
5360	IMCCPHR.exe
4240	Funktionsafprvningerne.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	25FC004658_Femetagershusenes.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25FC004658_Femetagershusenes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
5468	25FC004658_Femetagershusenes.exe
3260	Funktionsafprvningerne.exe
684	Funktionsafprvningerne.exe
1740	Funktionsafprvningerne.exe
1844	Funktionsafprvningerne.exe
3260	Funktionsafprvningerne.exe
4912	Funktionsafprvningerne.exe
3132	Funktionsafprvningerne.exe
4240	Funktionsafprvningerne.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	IMCCPHR.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5468 wrote to memory of 2596	5468	25FC004658_Femetagershusenes.exe	95
PID 5468 wrote to memory of 2596	5468	25FC004658_Femetagershusenes.exe	95
PID 5468 wrote to memory of 2596	5468	25FC004658_Femetagershusenes.exe	95
PID 5468 wrote to memory of 2596	5468	25FC004658_Femetagershusenes.exe	95
PID 4556 wrote to memory of 3260	4556	cmd.exe	99
PID 4556 wrote to memory of 3260	4556	cmd.exe	99
PID 4556 wrote to memory of 3260	4556	cmd.exe	99
PID 3260 wrote to memory of 3556	3260	Funktionsafprvningerne.exe	100
PID 3260 wrote to memory of 3556	3260	Funktionsafprvningerne.exe	100
PID 3260 wrote to memory of 3556	3260	Funktionsafprvningerne.exe	100
PID 3260 wrote to memory of 3556	3260	Funktionsafprvningerne.exe	100
PID 3644 wrote to memory of 684	3644	cmd.exe	105
PID 3644 wrote to memory of 684	3644	cmd.exe	105
PID 3644 wrote to memory of 684	3644	cmd.exe	105
PID 684 wrote to memory of 1848	684	Funktionsafprvningerne.exe	113
PID 684 wrote to memory of 1848	684	Funktionsafprvningerne.exe	113
PID 684 wrote to memory of 1848	684	Funktionsafprvningerne.exe	113
PID 684 wrote to memory of 1848	684	Funktionsafprvningerne.exe	113
PID 5584 wrote to memory of 1740	5584	cmd.exe	116
PID 5584 wrote to memory of 1740	5584	cmd.exe	116
PID 5584 wrote to memory of 1740	5584	cmd.exe	116
PID 1740 wrote to memory of 5660	1740	Funktionsafprvningerne.exe	117
PID 1740 wrote to memory of 5660	1740	Funktionsafprvningerne.exe	117
PID 1740 wrote to memory of 5660	1740	Funktionsafprvningerne.exe	117
PID 1740 wrote to memory of 5660	1740	Funktionsafprvningerne.exe	117
PID 100 wrote to memory of 1844	100	cmd.exe	120
PID 100 wrote to memory of 1844	100	cmd.exe	120
PID 100 wrote to memory of 1844	100	cmd.exe	120
PID 1844 wrote to memory of 1396	1844	Funktionsafprvningerne.exe	121
PID 1844 wrote to memory of 1396	1844	Funktionsafprvningerne.exe	121
PID 1844 wrote to memory of 1396	1844	Funktionsafprvningerne.exe	121
PID 1844 wrote to memory of 1396	1844	Funktionsafprvningerne.exe	121
PID 3648 wrote to memory of 3260	3648	cmd.exe	125
PID 3648 wrote to memory of 3260	3648	cmd.exe	125
PID 3648 wrote to memory of 3260	3648	cmd.exe	125
PID 3260 wrote to memory of 6012	3260	Funktionsafprvningerne.exe	126
PID 3260 wrote to memory of 6012	3260	Funktionsafprvningerne.exe	126
PID 3260 wrote to memory of 6012	3260	Funktionsafprvningerne.exe	126
PID 3260 wrote to memory of 6012	3260	Funktionsafprvningerne.exe	126
PID 5628 wrote to memory of 4912	5628	cmd.exe	129
PID 5628 wrote to memory of 4912	5628	cmd.exe	129
PID 5628 wrote to memory of 4912	5628	cmd.exe	129
PID 4912 wrote to memory of 5704	4912	Funktionsafprvningerne.exe	130
PID 4912 wrote to memory of 5704	4912	Funktionsafprvningerne.exe	130
PID 4912 wrote to memory of 5704	4912	Funktionsafprvningerne.exe	130
PID 4912 wrote to memory of 5704	4912	Funktionsafprvningerne.exe	130
PID 1000 wrote to memory of 3132	1000	cmd.exe	133
PID 1000 wrote to memory of 3132	1000	cmd.exe	133
PID 1000 wrote to memory of 3132	1000	cmd.exe	133
PID 3132 wrote to memory of 5360	3132	Funktionsafprvningerne.exe	134
PID 3132 wrote to memory of 5360	3132	Funktionsafprvningerne.exe	134
PID 3132 wrote to memory of 5360	3132	Funktionsafprvningerne.exe	134
PID 3132 wrote to memory of 5360	3132	Funktionsafprvningerne.exe	134
PID 5632 wrote to memory of 4240	5632	cmd.exe	137
PID 5632 wrote to memory of 4240	5632	cmd.exe	137
PID 5632 wrote to memory of 4240	5632	cmd.exe	137
PID 4240 wrote to memory of 5500	4240	Funktionsafprvningerne.exe	138
PID 4240 wrote to memory of 5500	4240	Funktionsafprvningerne.exe	138
PID 4240 wrote to memory of 5500	4240	Funktionsafprvningerne.exe	138
PID 4240 wrote to memory of 5500	4240	Funktionsafprvningerne.exe	138

C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe
"C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5468
- C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
  "C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5584
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5628
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5632
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a63dc15d95de395a9e5de80446ba6ac5

SHA1
e3ab417d87ecd1a5d17d905874c5f2ae1c3a0d3e

SHA256
d81933b0834133fb1757ef8655b6130f5a64a5725b4baa473b0a3132a62fbdbc

SHA512
a58d14dac9db8b2ca1e7757bcef56bfd81d0edaedd46b47553d416062583bab478690abcf9aba86690e717472d720ec55796db9470c9308850130fe98493558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
471B

MD5
f5aedcdf049f6dd3065cb9a91d23f324

SHA1
191bb10a3aec519f335a7d115dd3632557c375aa

SHA256
76cd89f1f9436dcbc38d694441100d0939c3439d9e96f524dea0a6373d5df7e6

SHA512
10d015798c78a09c34d2b5fc89c32d24c311c17b3dea73441b4acbf33902db4468dfba28fc839167b49dafcfdfa7371bde5210f49a16263d0cb0ecb0c83edd70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
471B

MD5
4290d29fe7d42d6202716822c711a443

SHA1
bc927e004de7034bc6cf168a0779aab81df7d41a

SHA256
88b8e4ec7c2a917a58493593abdb6e2217a961a3251ed1ef7b1acd3981121017

SHA512
4cd870648c58f86a520dd1bce9d6c85c03e9a4c63f4f345658aa3f86a399b40777e83dfe1a09bee0d71e226eaad374f037a4f53e118397727d8a5f9a164c21f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
a29aba4b731540a91482921448ec3851

SHA1
0d97b044f00e6f036f3e9abcec93525040858d9d

SHA256
f91f4520bf18482600d93fdd5c26a2198cf83cff63775679958919302a3c7b89

SHA512
4eff85ece0bc378bd3d801d53ac00dcc8d588df38204964eb2a453090b8fca397b9c5e1348f1ebab926249d3ed05f93c1bc57a2115b154d7d3f84fdd17d65c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
c83b8202abfd9e1c2a0a0c0c00b0a20c

SHA1
c5f19afb2c14255d1978c3e5621be7ffa605e565

SHA256
50aaa2c1ef1506d11c712a523244bb1647c71ff946cdb849e50181c950a14672

SHA512
873b802a46e16479f7755eb224b7ba31dcb5c8e987a2f77321290eba5cdaf728fe289f63a29c208af3c9fb98b878d374cb024f7602dfae50722329f5da2b27f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
400B

MD5
2fd01d428669fe789d466fc9accf51d7

SHA1
8a6897289fff1d088a2123bf2947ead41565626b

SHA256
25aec3be4b3ca70bf18b538f049e8c77a33edd74c140da3efc544d54632cf8ff

SHA512
0fd9ec9ec27bcee388f1f74bf42a538c8c3e7c27e36df199930f89e2deb54ba719c68c8b323e2afdd91f09b2979c21dc5c2baf79ab580d92dd369b3dcebcbfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe

Filesize
601KB

MD5
77221f5f2a4984872389759b83446a62

SHA1
07c1d4795c8ec52dff45be198abde62c331ded59

SHA256
d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588

SHA512
bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Barnagtigt138.ini

Filesize
358B

MD5
a7171e05f022a1f6a7248e12fbccf748

SHA1
892d0916f107e4353f9b1f8195eae8c7288a9786

SHA256
6752d4faabfb64279eb5dc73418ed24d1d9cdb78a92915984b4c395842768b94

SHA512
c09becb22987b2a7c67e67e36c01ea6f7c874cef759d526eb61e4a59887a65d2b476a7b8efe6db1e3204d14aa3f245cf6b78a890fc20ac2977183b194a1826d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Jested.Tek192

Filesize
361KB

MD5
4ec9cbbd7066419d2ceff69ad3805e01

SHA1
4d197384c43e59aace38749aa8194657c594fe5e

SHA256
129a1f70792363b3359623b465db0dcf9fa3267e36322b04eea5739086d9fcfa

SHA512
86a842c471d1db41bf47040d3a14945c2e1dcda265ac6966defe744628b3f2b6fb92ad5b7a72c38466f9165f5e3163e81e2392f37b7f761862619f55bf436ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Desk120.pro

Filesize
51KB

MD5
13b04bc417af81c854aa09dbb72af9c0

SHA1
98c21022ed8b3a853e941e3198736a00916cda3f

SHA256
fc21d861ddd497bd57bddb3bc2f565212d6851f7b4a59154f0dbb06926f393e6

SHA512
a41c15512047491a90f9adbc46a840a69379f1cddebd8ec7100d2fc2e1fae414ae59dcb226da91c00362f9de1a0f7401e66a1e0f1f5daab7407ee10c76eedc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Movieize.Hre

Filesize
124KB

MD5
07d9ec3690d68db14a35137e43e76590

SHA1
af3bcb09e8f9a095fc3aa747d73fd0701815d24e

SHA256
491cb797cfde3e8d2bdb9028f29a85f5bb9be1b8758c0b4f30b01655cdbcd14a

SHA512
66225f7b3c8898d93fdcf22b49f1f771dc01673ca240344675dbbc9c8d589e8bf9d57c9dcd6f98dec61df88427230a4213523661cc843bc23d41092057c22db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\dialogformerne.jpg

Filesize
20KB

MD5
8a77aa30afbd169c284151b0acf9e1fe

SHA1
8f5a0efd679b65db330eaab529db1bf95a77ae8c

SHA256
63d4e6bc6f0cd4d9703b8e053fc6f178775bb195fede282767a020f83d6f93f4

SHA512
665f237bc99601a4456f59b8cfa5c135856d0487ac23cfddc67e2787cb83b06fdb3b334164a50da07bfc6be12bbb0597793021051f3a18a2aecf6cb5c4f1ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\gowk.nul

Filesize
147KB

MD5
a5ad600eaeb7b4bd6f7e7bd7e4d382cb

SHA1
e6d7f9dec77f3d6b01e789679d8cbe1d9021e272

SHA256
21db5b3b885475eca98160ea34fbdc0303a54ad36fa41ca71f6dbe5c3570897d

SHA512
a5bc1cb401b08dd1546365a6072aaa4602e1995e39f972cde8c0bc8ee7569480c0f75aeb03106564d8985488850d383702700b2f730c1cbccca18d4234b867c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\ornecentral.par

Filesize
190KB

MD5
3f4118f3e2bf1f342eed397c3b00512a

SHA1
03e94f6f726aa9709b677017e212e4a795fb93fa

SHA256
dcf483fcbf601d8e5c57339369d7f79bbafba07e80b39fbe0b9b8e12f067a250

SHA512
621acce677f3ff07f94598fdb48c47f2e77c2d9ab3e8452501664d3c33d599cd9fd5ebb630cdf19bc4793272db36fc122ccc93170d192fab16e3aefba79b54d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8196.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
C:\Users\Admin\Documents\Emissionsbreve.ini

Filesize
30B

MD5
9c41990255c107edff8d7ed715760746

SHA1
0adb5cd40454e53a34d2df3be971bea9b0e04452

SHA256
997506e1e3a395a57a4db940529da99b73d113bb10469d4e279bfbb8f67640b8

SHA512
d3cf4252752dd96e7fd855404f82ea57ad589f4d69b9df2bb93647657805f347ec65b97afa3fb0ec35e068b8deae31f863ed6c2e18bbe4146b03464301002018

Download Submit
memory/1396-170-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/1396-200-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/1848-105-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/1848-136-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/2596-20-0x0000000077041000-0x0000000077161000-memory.dmp

Filesize
1.1MB

Download
memory/2596-63-0x0000000077041000-0x0000000077161000-memory.dmp

Filesize
1.1MB

Download
memory/2596-59-0x00000000007B0000-0x0000000001A04000-memory.dmp

Filesize
18.3MB

Download
memory/2596-19-0x00000000770C8000-0x00000000770C9000-memory.dmp

Filesize
4KB

Download
memory/2596-18-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/3556-101-0x0000000000AB0000-0x0000000001D04000-memory.dmp

Filesize
18.3MB

Download
memory/3556-103-0x0000000001D10000-0x000000000686F000-memory.dmp

Filesize
75.4MB

Download
memory/3556-67-0x0000000001D10000-0x000000000686F000-memory.dmp

Filesize
75.4MB

Download
memory/5360-271-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/5360-251-0x0000000001A10000-0x000000000656F000-memory.dmp

Filesize
75.4MB

Download
memory/5468-17-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/5468-16-0x0000000077041000-0x0000000077161000-memory.dmp

Filesize
1.1MB

Download
memory/5500-273-0x0000000002490000-0x0000000006FEF000-memory.dmp

Filesize
75.4MB

Download
memory/5660-138-0x0000000002460000-0x0000000006FBF000-memory.dmp

Filesize
75.4MB

Download
memory/5660-165-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/5660-168-0x0000000002460000-0x0000000006FBF000-memory.dmp

Filesize
75.4MB

Download
memory/5704-249-0x0000000002260000-0x0000000006DBF000-memory.dmp

Filesize
75.4MB

Download
memory/5704-245-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/5704-229-0x0000000002260000-0x0000000006DBF000-memory.dmp

Filesize
75.4MB

Download
memory/6012-227-0x0000000001F60000-0x0000000006ABF000-memory.dmp

Filesize
75.4MB

Download
memory/6012-223-0x0000000000D00000-0x0000000001F54000-memory.dmp

Filesize
18.3MB

Download
memory/6012-202-0x0000000001F60000-0x0000000006ABF000-memory.dmp

Filesize
75.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads