guloader | d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25FC004658_Femetagershusenes.exe
Size

601KB
MD5

77221f5f2a4984872389759b83446a62
SHA1

07c1d4795c8ec52dff45be198abde62c331ded59
SHA256

d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588
SHA512

bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485
SSDEEP

12288:SDGg/i9HZmS7DpP5AkavuzLiB5Puhrxk/8872b5GmledTRfSCG+sQCVv:jD5PUkwuKB8rxk0omle3VG+shVv

Score

10^/10

guloader remcos parosh new discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PAROSH NEW

parosh.didns.ru:3011

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
polshmy
keylog_path
%AppData%
mouse_option
false
mutex
psh983mn-LGLX6H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 8 IoCs

pid	Process
1460	Funktionsafprvningerne.exe
3748	Funktionsafprvningerne.exe
2384	Funktionsafprvningerne.exe
2332	Funktionsafprvningerne.exe
1468	Funktionsafprvningerne.exe
1088	Funktionsafprvningerne.exe
5980	Funktionsafprvningerne.exe
880	Funktionsafprvningerne.exe

Loads dropped DLL 9 IoCs

pid	Process
5352	25FC004658_Femetagershusenes.exe
1460	Funktionsafprvningerne.exe
3748	Funktionsafprvningerne.exe
2384	Funktionsafprvningerne.exe
2332	Funktionsafprvningerne.exe
1468	Funktionsafprvningerne.exe
1088	Funktionsafprvningerne.exe
5980	Funktionsafprvningerne.exe
880	Funktionsafprvningerne.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe

Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs

pid	Process
3788	IMCCPHR.exe
2356	IMCCPHR.exe
5264	IMCCPHR.exe
2200	IMCCPHR.exe
1500	IMCCPHR.exe
1332	IMCCPHR.exe
2096	IMCCPHR.exe
2352	IMCCPHR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
5352	25FC004658_Femetagershusenes.exe
3788	IMCCPHR.exe
1460	Funktionsafprvningerne.exe
2356	IMCCPHR.exe
3748	Funktionsafprvningerne.exe
5264	IMCCPHR.exe
2384	Funktionsafprvningerne.exe
2200	IMCCPHR.exe
2332	Funktionsafprvningerne.exe
1500	IMCCPHR.exe
1468	Funktionsafprvningerne.exe
1332	IMCCPHR.exe
1088	Funktionsafprvningerne.exe
2096	IMCCPHR.exe
5980	Funktionsafprvningerne.exe
2352	IMCCPHR.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	25FC004658_Femetagershusenes.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25FC004658_Femetagershusenes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
5352	25FC004658_Femetagershusenes.exe
1460	Funktionsafprvningerne.exe
3748	Funktionsafprvningerne.exe
2384	Funktionsafprvningerne.exe
2332	Funktionsafprvningerne.exe
1468	Funktionsafprvningerne.exe
1088	Funktionsafprvningerne.exe
5980	Funktionsafprvningerne.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	IMCCPHR.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 5352 wrote to memory of 3788	5352	25FC004658_Femetagershusenes.exe	94
PID 5352 wrote to memory of 3788	5352	25FC004658_Femetagershusenes.exe	94
PID 5352 wrote to memory of 3788	5352	25FC004658_Femetagershusenes.exe	94
PID 5352 wrote to memory of 3788	5352	25FC004658_Femetagershusenes.exe	94
PID 5048 wrote to memory of 1460	5048	cmd.exe	98
PID 5048 wrote to memory of 1460	5048	cmd.exe	98
PID 5048 wrote to memory of 1460	5048	cmd.exe	98
PID 1460 wrote to memory of 2356	1460	Funktionsafprvningerne.exe	99
PID 1460 wrote to memory of 2356	1460	Funktionsafprvningerne.exe	99
PID 1460 wrote to memory of 2356	1460	Funktionsafprvningerne.exe	99
PID 1460 wrote to memory of 2356	1460	Funktionsafprvningerne.exe	99
PID 3696 wrote to memory of 3748	3696	cmd.exe	103
PID 3696 wrote to memory of 3748	3696	cmd.exe	103
PID 3696 wrote to memory of 3748	3696	cmd.exe	103
PID 3748 wrote to memory of 5264	3748	Funktionsafprvningerne.exe	111
PID 3748 wrote to memory of 5264	3748	Funktionsafprvningerne.exe	111
PID 3748 wrote to memory of 5264	3748	Funktionsafprvningerne.exe	111
PID 3748 wrote to memory of 5264	3748	Funktionsafprvningerne.exe	111
PID 392 wrote to memory of 2384	392	cmd.exe	114
PID 392 wrote to memory of 2384	392	cmd.exe	114
PID 392 wrote to memory of 2384	392	cmd.exe	114
PID 2384 wrote to memory of 2200	2384	Funktionsafprvningerne.exe	115
PID 2384 wrote to memory of 2200	2384	Funktionsafprvningerne.exe	115
PID 2384 wrote to memory of 2200	2384	Funktionsafprvningerne.exe	115
PID 2384 wrote to memory of 2200	2384	Funktionsafprvningerne.exe	115
PID 6036 wrote to memory of 2332	6036	cmd.exe	118
PID 6036 wrote to memory of 2332	6036	cmd.exe	118
PID 6036 wrote to memory of 2332	6036	cmd.exe	118
PID 2332 wrote to memory of 1500	2332	Funktionsafprvningerne.exe	120
PID 2332 wrote to memory of 1500	2332	Funktionsafprvningerne.exe	120
PID 2332 wrote to memory of 1500	2332	Funktionsafprvningerne.exe	120
PID 2332 wrote to memory of 1500	2332	Funktionsafprvningerne.exe	120
PID 2136 wrote to memory of 1468	2136	cmd.exe	123
PID 2136 wrote to memory of 1468	2136	cmd.exe	123
PID 2136 wrote to memory of 1468	2136	cmd.exe	123
PID 1468 wrote to memory of 1332	1468	Funktionsafprvningerne.exe	124
PID 1468 wrote to memory of 1332	1468	Funktionsafprvningerne.exe	124
PID 1468 wrote to memory of 1332	1468	Funktionsafprvningerne.exe	124
PID 1468 wrote to memory of 1332	1468	Funktionsafprvningerne.exe	124
PID 4968 wrote to memory of 1088	4968	cmd.exe	127
PID 4968 wrote to memory of 1088	4968	cmd.exe	127
PID 4968 wrote to memory of 1088	4968	cmd.exe	127
PID 1088 wrote to memory of 2096	1088	Funktionsafprvningerne.exe	128
PID 1088 wrote to memory of 2096	1088	Funktionsafprvningerne.exe	128
PID 1088 wrote to memory of 2096	1088	Funktionsafprvningerne.exe	128
PID 1088 wrote to memory of 2096	1088	Funktionsafprvningerne.exe	128
PID 5560 wrote to memory of 5980	5560	cmd.exe	131
PID 5560 wrote to memory of 5980	5560	cmd.exe	131
PID 5560 wrote to memory of 5980	5560	cmd.exe	131
PID 5980 wrote to memory of 2352	5980	Funktionsafprvningerne.exe	132
PID 5980 wrote to memory of 2352	5980	Funktionsafprvningerne.exe	132
PID 5980 wrote to memory of 2352	5980	Funktionsafprvningerne.exe	132
PID 5980 wrote to memory of 2352	5980	Funktionsafprvningerne.exe	132
PID 3636 wrote to memory of 880	3636	cmd.exe	135
PID 3636 wrote to memory of 880	3636	cmd.exe	135
PID 3636 wrote to memory of 880	3636	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe
"C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5352
- C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
  "C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:6036
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5560
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5980
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a63dc15d95de395a9e5de80446ba6ac5

SHA1
e3ab417d87ecd1a5d17d905874c5f2ae1c3a0d3e

SHA256
d81933b0834133fb1757ef8655b6130f5a64a5725b4baa473b0a3132a62fbdbc

SHA512
a58d14dac9db8b2ca1e7757bcef56bfd81d0edaedd46b47553d416062583bab478690abcf9aba86690e717472d720ec55796db9470c9308850130fe98493558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
471B

MD5
f5aedcdf049f6dd3065cb9a91d23f324

SHA1
191bb10a3aec519f335a7d115dd3632557c375aa

SHA256
76cd89f1f9436dcbc38d694441100d0939c3439d9e96f524dea0a6373d5df7e6

SHA512
10d015798c78a09c34d2b5fc89c32d24c311c17b3dea73441b4acbf33902db4468dfba28fc839167b49dafcfdfa7371bde5210f49a16263d0cb0ecb0c83edd70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
471B

MD5
4290d29fe7d42d6202716822c711a443

SHA1
bc927e004de7034bc6cf168a0779aab81df7d41a

SHA256
88b8e4ec7c2a917a58493593abdb6e2217a961a3251ed1ef7b1acd3981121017

SHA512
4cd870648c58f86a520dd1bce9d6c85c03e9a4c63f4f345658aa3f86a399b40777e83dfe1a09bee0d71e226eaad374f037a4f53e118397727d8a5f9a164c21f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
ba5873e827ce48a031d2fbe49e91f564

SHA1
0032f2a8e141ca7999ccd0960ff92e37a5ac3859

SHA256
2d7fc93fd641e462eb9098b7f8687bf5dd9a12b9d299cf06ac89d34eeecca92e

SHA512
9043ff8b667744f155f37396bea43ba58cfb64e33bde027b7ffaca7cd3a870576458c256012a44d1aee1c97aca418220d440e22c2caa29caf8bc2bb0d9e92fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
dbfc50c57d75a6dfbd90cf5251c89762

SHA1
d45a01080a95dee397f078468efebc1d8a2fba00

SHA256
34157061b07fe3163e68d81e8e72a90423e4869bed6c573b81e17fc4c920542f

SHA512
c3371d0b6fd365f498a41ad65f7d236f5b810f79ec4f338c6dad9417cb5597f902796e03741025ee3a0d3fc9b4fc4a80a6ea2dd6de00ca2feafee8db4cdbf66a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
400B

MD5
a9b6372773cf4baae3c74808659b2424

SHA1
009f97700d81aeeb1d0f8354e5917b0670d46ec4

SHA256
35d115b02a4403f038901959b726603be2b069f04cfeac3b428768117eef07ce

SHA512
8e1b3732f147012a6423ae0ee12aecf8c1e179698ed0c12d71959f2e0f8f0155c23a36c5e9626a5d2533f2756b45515b3c6acf4de872a61f90360353ce38d989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe

Filesize
601KB

MD5
77221f5f2a4984872389759b83446a62

SHA1
07c1d4795c8ec52dff45be198abde62c331ded59

SHA256
d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588

SHA512
bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Barnagtigt138.ini

Filesize
358B

MD5
a7171e05f022a1f6a7248e12fbccf748

SHA1
892d0916f107e4353f9b1f8195eae8c7288a9786

SHA256
6752d4faabfb64279eb5dc73418ed24d1d9cdb78a92915984b4c395842768b94

SHA512
c09becb22987b2a7c67e67e36c01ea6f7c874cef759d526eb61e4a59887a65d2b476a7b8efe6db1e3204d14aa3f245cf6b78a890fc20ac2977183b194a1826d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Jested.Tek192

Filesize
361KB

MD5
4ec9cbbd7066419d2ceff69ad3805e01

SHA1
4d197384c43e59aace38749aa8194657c594fe5e

SHA256
129a1f70792363b3359623b465db0dcf9fa3267e36322b04eea5739086d9fcfa

SHA512
86a842c471d1db41bf47040d3a14945c2e1dcda265ac6966defe744628b3f2b6fb92ad5b7a72c38466f9165f5e3163e81e2392f37b7f761862619f55bf436ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Desk120.pro

Filesize
51KB

MD5
13b04bc417af81c854aa09dbb72af9c0

SHA1
98c21022ed8b3a853e941e3198736a00916cda3f

SHA256
fc21d861ddd497bd57bddb3bc2f565212d6851f7b4a59154f0dbb06926f393e6

SHA512
a41c15512047491a90f9adbc46a840a69379f1cddebd8ec7100d2fc2e1fae414ae59dcb226da91c00362f9de1a0f7401e66a1e0f1f5daab7407ee10c76eedc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Movieize.Hre

Filesize
124KB

MD5
07d9ec3690d68db14a35137e43e76590

SHA1
af3bcb09e8f9a095fc3aa747d73fd0701815d24e

SHA256
491cb797cfde3e8d2bdb9028f29a85f5bb9be1b8758c0b4f30b01655cdbcd14a

SHA512
66225f7b3c8898d93fdcf22b49f1f771dc01673ca240344675dbbc9c8d589e8bf9d57c9dcd6f98dec61df88427230a4213523661cc843bc23d41092057c22db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\dialogformerne.jpg

Filesize
20KB

MD5
8a77aa30afbd169c284151b0acf9e1fe

SHA1
8f5a0efd679b65db330eaab529db1bf95a77ae8c

SHA256
63d4e6bc6f0cd4d9703b8e053fc6f178775bb195fede282767a020f83d6f93f4

SHA512
665f237bc99601a4456f59b8cfa5c135856d0487ac23cfddc67e2787cb83b06fdb3b334164a50da07bfc6be12bbb0597793021051f3a18a2aecf6cb5c4f1ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\gowk.nul

Filesize
147KB

MD5
a5ad600eaeb7b4bd6f7e7bd7e4d382cb

SHA1
e6d7f9dec77f3d6b01e789679d8cbe1d9021e272

SHA256
21db5b3b885475eca98160ea34fbdc0303a54ad36fa41ca71f6dbe5c3570897d

SHA512
a5bc1cb401b08dd1546365a6072aaa4602e1995e39f972cde8c0bc8ee7569480c0f75aeb03106564d8985488850d383702700b2f730c1cbccca18d4234b867c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\ornecentral.par

Filesize
190KB

MD5
3f4118f3e2bf1f342eed397c3b00512a

SHA1
03e94f6f726aa9709b677017e212e4a795fb93fa

SHA256
dcf483fcbf601d8e5c57339369d7f79bbafba07e80b39fbe0b9b8e12f067a250

SHA512
621acce677f3ff07f94598fdb48c47f2e77c2d9ab3e8452501664d3c33d599cd9fd5ebb630cdf19bc4793272db36fc122ccc93170d192fab16e3aefba79b54d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf616B.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
C:\Users\Admin\Documents\Emissionsbreve.ini

Filesize
30B

MD5
9c41990255c107edff8d7ed715760746

SHA1
0adb5cd40454e53a34d2df3be971bea9b0e04452

SHA256
997506e1e3a395a57a4db940529da99b73d113bb10469d4e279bfbb8f67640b8

SHA512
d3cf4252752dd96e7fd855404f82ea57ad589f4d69b9df2bb93647657805f347ec65b97afa3fb0ec35e068b8deae31f863ed6c2e18bbe4146b03464301002018

Download Submit
memory/1332-227-0x0000000001E10000-0x000000000696F000-memory.dmp

Filesize
75.4MB

Download
memory/1332-202-0x0000000001E10000-0x000000000696F000-memory.dmp

Filesize
75.4MB

Download
memory/1500-200-0x0000000002460000-0x0000000006FBF000-memory.dmp

Filesize
75.4MB

Download
memory/1500-196-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/1500-170-0x0000000002460000-0x0000000006FBF000-memory.dmp

Filesize
75.4MB

Download
memory/2096-229-0x0000000001E10000-0x000000000696F000-memory.dmp

Filesize
75.4MB

Download
memory/2096-249-0x0000000001E10000-0x000000000696F000-memory.dmp

Filesize
75.4MB

Download
memory/2200-138-0x0000000002500000-0x000000000705F000-memory.dmp

Filesize
75.4MB

Download
memory/2200-168-0x0000000002500000-0x000000000705F000-memory.dmp

Filesize
75.4MB

Download
memory/2200-164-0x00000000012A0000-0x00000000024F4000-memory.dmp

Filesize
18.3MB

Download
memory/2352-271-0x0000000001E10000-0x000000000696F000-memory.dmp

Filesize
75.4MB

Download
memory/2356-100-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/2356-104-0x0000000002060000-0x0000000006BBF000-memory.dmp

Filesize
75.4MB

Download
memory/2356-68-0x0000000002060000-0x0000000006BBF000-memory.dmp

Filesize
75.4MB

Download
memory/3788-20-0x00000000771D8000-0x00000000771D9000-memory.dmp

Filesize
4KB

Download
memory/3788-21-0x0000000077151000-0x0000000077271000-memory.dmp

Filesize
1.1MB

Download
memory/3788-18-0x0000000001E10000-0x000000000696F000-memory.dmp

Filesize
75.4MB

Download
memory/3788-19-0x0000000077151000-0x0000000077271000-memory.dmp

Filesize
1.1MB

Download
memory/3788-64-0x0000000077151000-0x0000000077271000-memory.dmp

Filesize
1.1MB

Download
memory/3788-60-0x0000000000BB0000-0x0000000001E04000-memory.dmp

Filesize
18.3MB

Download
memory/5264-106-0x00000000024B0000-0x000000000700F000-memory.dmp

Filesize
75.4MB

Download
memory/5264-132-0x0000000001250000-0x00000000024A4000-memory.dmp

Filesize
18.3MB

Download
memory/5264-136-0x00000000024B0000-0x000000000700F000-memory.dmp

Filesize
75.4MB

Download
memory/5352-16-0x0000000077151000-0x0000000077271000-memory.dmp

Filesize
1.1MB

Download
memory/5352-17-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads