guloader | 760f8737397a004b29d0b7f0e6eed10813d129a07d2510bfb582b34b9121778c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25FC004658_Femetagershusenes.exe
Size

601KB
MD5

77221f5f2a4984872389759b83446a62
SHA1

07c1d4795c8ec52dff45be198abde62c331ded59
SHA256

d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588
SHA512

bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485
SSDEEP

12288:SDGg/i9HZmS7DpP5AkavuzLiB5Puhrxk/8872b5GmledTRfSCG+sQCVv:jD5PUkwuKB8rxk0omle3VG+shVv

Score

10^/10

guloader remcos parosh new discovery downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

PAROSH NEW

parosh.didns.ru:3011

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
polshmy
keylog_path
%AppData%
mouse_option
false
mutex
psh983mn-LGLX6H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 8 IoCs

pid	Process
5812	Funktionsafprvningerne.exe
3412	Funktionsafprvningerne.exe
1804	Funktionsafprvningerne.exe
5272	Funktionsafprvningerne.exe
1572	Funktionsafprvningerne.exe
876	Funktionsafprvningerne.exe
2956	Funktionsafprvningerne.exe
3768	Funktionsafprvningerne.exe

Loads dropped DLL 9 IoCs

pid	Process
1540	25FC004658_Femetagershusenes.exe
5812	Funktionsafprvningerne.exe
3412	Funktionsafprvningerne.exe
1804	Funktionsafprvningerne.exe
5272	Funktionsafprvningerne.exe
1572	Funktionsafprvningerne.exe
876	Funktionsafprvningerne.exe
2956	Funktionsafprvningerne.exe
3768	Funktionsafprvningerne.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Omsadlings = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ddbiderens\\Funktionsafprvningerne.exe"	IMCCPHR.exe

Suspicious use of NtCreateThreadExHideFromDebugger 8 IoCs

pid	Process
5332	IMCCPHR.exe
3048	IMCCPHR.exe
3324	IMCCPHR.exe
3488	IMCCPHR.exe
1556	IMCCPHR.exe
5624	IMCCPHR.exe
3368	IMCCPHR.exe
2976	IMCCPHR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
1540	25FC004658_Femetagershusenes.exe
5332	IMCCPHR.exe
5812	Funktionsafprvningerne.exe
3048	IMCCPHR.exe
3412	Funktionsafprvningerne.exe
3324	IMCCPHR.exe
1804	Funktionsafprvningerne.exe
3488	IMCCPHR.exe
5272	Funktionsafprvningerne.exe
1556	IMCCPHR.exe
1572	Funktionsafprvningerne.exe
5624	IMCCPHR.exe
876	Funktionsafprvningerne.exe
3368	IMCCPHR.exe
2956	Funktionsafprvningerne.exe
2976	IMCCPHR.exe
3768	Funktionsafprvningerne.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	25FC004658_Femetagershusenes.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe
File opened for modification	C:\Windows\demoralisingly.Mic81	Funktionsafprvningerne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25FC004658_Femetagershusenes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funktionsafprvningerne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMCCPHR.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
1540	25FC004658_Femetagershusenes.exe
5812	Funktionsafprvningerne.exe
3412	Funktionsafprvningerne.exe
1804	Funktionsafprvningerne.exe
5272	Funktionsafprvningerne.exe
1572	Funktionsafprvningerne.exe
876	Funktionsafprvningerne.exe
2956	Funktionsafprvningerne.exe
3768	Funktionsafprvningerne.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5332	IMCCPHR.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 5332	1540	25FC004658_Femetagershusenes.exe	94
PID 1540 wrote to memory of 5332	1540	25FC004658_Femetagershusenes.exe	94
PID 1540 wrote to memory of 5332	1540	25FC004658_Femetagershusenes.exe	94
PID 1540 wrote to memory of 5332	1540	25FC004658_Femetagershusenes.exe	94
PID 4992 wrote to memory of 5812	4992	cmd.exe	98
PID 4992 wrote to memory of 5812	4992	cmd.exe	98
PID 4992 wrote to memory of 5812	4992	cmd.exe	98
PID 5812 wrote to memory of 3048	5812	Funktionsafprvningerne.exe	99
PID 5812 wrote to memory of 3048	5812	Funktionsafprvningerne.exe	99
PID 5812 wrote to memory of 3048	5812	Funktionsafprvningerne.exe	99
PID 5812 wrote to memory of 3048	5812	Funktionsafprvningerne.exe	99
PID 1508 wrote to memory of 3412	1508	cmd.exe	104
PID 1508 wrote to memory of 3412	1508	cmd.exe	104
PID 1508 wrote to memory of 3412	1508	cmd.exe	104
PID 3412 wrote to memory of 3324	3412	Funktionsafprvningerne.exe	111
PID 3412 wrote to memory of 3324	3412	Funktionsafprvningerne.exe	111
PID 3412 wrote to memory of 3324	3412	Funktionsafprvningerne.exe	111
PID 3412 wrote to memory of 3324	3412	Funktionsafprvningerne.exe	111
PID 4208 wrote to memory of 1804	4208	cmd.exe	114
PID 4208 wrote to memory of 1804	4208	cmd.exe	114
PID 4208 wrote to memory of 1804	4208	cmd.exe	114
PID 1804 wrote to memory of 3488	1804	Funktionsafprvningerne.exe	115
PID 1804 wrote to memory of 3488	1804	Funktionsafprvningerne.exe	115
PID 1804 wrote to memory of 3488	1804	Funktionsafprvningerne.exe	115
PID 1804 wrote to memory of 3488	1804	Funktionsafprvningerne.exe	115
PID 4492 wrote to memory of 5272	4492	cmd.exe	118
PID 4492 wrote to memory of 5272	4492	cmd.exe	118
PID 4492 wrote to memory of 5272	4492	cmd.exe	118
PID 5272 wrote to memory of 1556	5272	Funktionsafprvningerne.exe	120
PID 5272 wrote to memory of 1556	5272	Funktionsafprvningerne.exe	120
PID 5272 wrote to memory of 1556	5272	Funktionsafprvningerne.exe	120
PID 5272 wrote to memory of 1556	5272	Funktionsafprvningerne.exe	120
PID 4356 wrote to memory of 1572	4356	cmd.exe	123
PID 4356 wrote to memory of 1572	4356	cmd.exe	123
PID 4356 wrote to memory of 1572	4356	cmd.exe	123
PID 1572 wrote to memory of 5624	1572	Funktionsafprvningerne.exe	124
PID 1572 wrote to memory of 5624	1572	Funktionsafprvningerne.exe	124
PID 1572 wrote to memory of 5624	1572	Funktionsafprvningerne.exe	124
PID 1572 wrote to memory of 5624	1572	Funktionsafprvningerne.exe	124
PID 4932 wrote to memory of 876	4932	cmd.exe	127
PID 4932 wrote to memory of 876	4932	cmd.exe	127
PID 4932 wrote to memory of 876	4932	cmd.exe	127
PID 876 wrote to memory of 3368	876	Funktionsafprvningerne.exe	128
PID 876 wrote to memory of 3368	876	Funktionsafprvningerne.exe	128
PID 876 wrote to memory of 3368	876	Funktionsafprvningerne.exe	128
PID 876 wrote to memory of 3368	876	Funktionsafprvningerne.exe	128
PID 2664 wrote to memory of 2956	2664	cmd.exe	131
PID 2664 wrote to memory of 2956	2664	cmd.exe	131
PID 2664 wrote to memory of 2956	2664	cmd.exe	131
PID 2956 wrote to memory of 2976	2956	Funktionsafprvningerne.exe	132
PID 2956 wrote to memory of 2976	2956	Funktionsafprvningerne.exe	132
PID 2956 wrote to memory of 2976	2956	Funktionsafprvningerne.exe	132
PID 2956 wrote to memory of 2976	2956	Funktionsafprvningerne.exe	132
PID 1132 wrote to memory of 3768	1132	cmd.exe	135
PID 1132 wrote to memory of 3768	1132	cmd.exe	135
PID 1132 wrote to memory of 3768	1132	cmd.exe	135
PID 3768 wrote to memory of 1108	3768	Funktionsafprvningerne.exe	136
PID 3768 wrote to memory of 1108	3768	Funktionsafprvningerne.exe	136
PID 3768 wrote to memory of 1108	3768	Funktionsafprvningerne.exe	136
PID 3768 wrote to memory of 1108	3768	Funktionsafprvningerne.exe	136

C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe
"C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
  "C:\Users\Admin\AppData\Local\Temp\25FC004658_Femetagershusenes.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5812
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5272
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe
    C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
a63dc15d95de395a9e5de80446ba6ac5

SHA1
e3ab417d87ecd1a5d17d905874c5f2ae1c3a0d3e

SHA256
d81933b0834133fb1757ef8655b6130f5a64a5725b4baa473b0a3132a62fbdbc

SHA512
a58d14dac9db8b2ca1e7757bcef56bfd81d0edaedd46b47553d416062583bab478690abcf9aba86690e717472d720ec55796db9470c9308850130fe98493558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
471B

MD5
f5aedcdf049f6dd3065cb9a91d23f324

SHA1
191bb10a3aec519f335a7d115dd3632557c375aa

SHA256
76cd89f1f9436dcbc38d694441100d0939c3439d9e96f524dea0a6373d5df7e6

SHA512
10d015798c78a09c34d2b5fc89c32d24c311c17b3dea73441b4acbf33902db4468dfba28fc839167b49dafcfdfa7371bde5210f49a16263d0cb0ecb0c83edd70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
471B

MD5
4290d29fe7d42d6202716822c711a443

SHA1
bc927e004de7034bc6cf168a0779aab81df7d41a

SHA256
88b8e4ec7c2a917a58493593abdb6e2217a961a3251ed1ef7b1acd3981121017

SHA512
4cd870648c58f86a520dd1bce9d6c85c03e9a4c63f4f345658aa3f86a399b40777e83dfe1a09bee0d71e226eaad374f037a4f53e118397727d8a5f9a164c21f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
77a31782afa8e5180fbe46f39db0696d

SHA1
2a4162e1769a7c85a4e4ace37770875f2d9d32e9

SHA256
ea28aec2f992c381a1467c96a9cb82581c127f187e68687232a0dffddafeb82b

SHA512
0ca903cbe36318d2fdc0a58a85e0a92087c91288d82f6fb228bd096d727562b72d5ea90a8236ee2745994fd8c4f1e9b82768e7653ce50facec499d6a0b68e013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
fce663fc7d7689ca4c097b7d9208b763

SHA1
90c6181f3de655e8ae7fe40d5787402ac574ccfb

SHA256
dbe629cea2e29e5fb57fc4b824c1ea9e3e82271bcf092028ee41ed7350c20541

SHA512
31998c14693f14ebc03ff61d40d67b4f7820abdfe7c668f2cd01214dda78838a065098cba5ebfbdc5479db3efc0a53d88f238d062f7efad5e6f2f19b549685c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
400B

MD5
c09d4b34255477764c4532c746cb3992

SHA1
29343535c2b9055f1f587323f77637f1b8686095

SHA256
1dc7938a323f4a67cb98f5e5db1acb5218be9081c2138e276b66aeba865813c6

SHA512
85916585f4ab44105dcd06e48710c33260df40aae7e44949d24ed19a2adbe6a12b3da243d28fad25680d816eada1f8982ae5b8d3afb5b8394e93b15abd54d813

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe

Filesize
601KB

MD5
77221f5f2a4984872389759b83446a62

SHA1
07c1d4795c8ec52dff45be198abde62c331ded59

SHA256
d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588

SHA512
bd64bd1be5fc366c600c5c88963e368fa82f31c0e692a27e7a7ce8cad0c5c4ac4d41cbba95e98bb5cfe753c3c157c399a2664b4e490068b18b2c7fe27bf10485

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Barnagtigt138.ini

Filesize
358B

MD5
a7171e05f022a1f6a7248e12fbccf748

SHA1
892d0916f107e4353f9b1f8195eae8c7288a9786

SHA256
6752d4faabfb64279eb5dc73418ed24d1d9cdb78a92915984b4c395842768b94

SHA512
c09becb22987b2a7c67e67e36c01ea6f7c874cef759d526eb61e4a59887a65d2b476a7b8efe6db1e3204d14aa3f245cf6b78a890fc20ac2977183b194a1826d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Jested.Tek192

Filesize
361KB

MD5
4ec9cbbd7066419d2ceff69ad3805e01

SHA1
4d197384c43e59aace38749aa8194657c594fe5e

SHA256
129a1f70792363b3359623b465db0dcf9fa3267e36322b04eea5739086d9fcfa

SHA512
86a842c471d1db41bf47040d3a14945c2e1dcda265ac6966defe744628b3f2b6fb92ad5b7a72c38466f9165f5e3163e81e2392f37b7f761862619f55bf436ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Desk120.pro

Filesize
51KB

MD5
13b04bc417af81c854aa09dbb72af9c0

SHA1
98c21022ed8b3a853e941e3198736a00916cda3f

SHA256
fc21d861ddd497bd57bddb3bc2f565212d6851f7b4a59154f0dbb06926f393e6

SHA512
a41c15512047491a90f9adbc46a840a69379f1cddebd8ec7100d2fc2e1fae414ae59dcb226da91c00362f9de1a0f7401e66a1e0f1f5daab7407ee10c76eedc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\Movieize.Hre

Filesize
124KB

MD5
07d9ec3690d68db14a35137e43e76590

SHA1
af3bcb09e8f9a095fc3aa747d73fd0701815d24e

SHA256
491cb797cfde3e8d2bdb9028f29a85f5bb9be1b8758c0b4f30b01655cdbcd14a

SHA512
66225f7b3c8898d93fdcf22b49f1f771dc01673ca240344675dbbc9c8d589e8bf9d57c9dcd6f98dec61df88427230a4213523661cc843bc23d41092057c22db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\dialogformerne.jpg

Filesize
20KB

MD5
8a77aa30afbd169c284151b0acf9e1fe

SHA1
8f5a0efd679b65db330eaab529db1bf95a77ae8c

SHA256
63d4e6bc6f0cd4d9703b8e053fc6f178775bb195fede282767a020f83d6f93f4

SHA512
665f237bc99601a4456f59b8cfa5c135856d0487ac23cfddc67e2787cb83b06fdb3b334164a50da07bfc6be12bbb0597793021051f3a18a2aecf6cb5c4f1ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\gowk.nul

Filesize
147KB

MD5
a5ad600eaeb7b4bd6f7e7bd7e4d382cb

SHA1
e6d7f9dec77f3d6b01e789679d8cbe1d9021e272

SHA256
21db5b3b885475eca98160ea34fbdc0303a54ad36fa41ca71f6dbe5c3570897d

SHA512
a5bc1cb401b08dd1546365a6072aaa4602e1995e39f972cde8c0bc8ee7569480c0f75aeb03106564d8985488850d383702700b2f730c1cbccca18d4234b867c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Skyggeridsene\ornecentral.par

Filesize
190KB

MD5
3f4118f3e2bf1f342eed397c3b00512a

SHA1
03e94f6f726aa9709b677017e212e4a795fb93fa

SHA256
dcf483fcbf601d8e5c57339369d7f79bbafba07e80b39fbe0b9b8e12f067a250

SHA512
621acce677f3ff07f94598fdb48c47f2e77c2d9ab3e8452501664d3c33d599cd9fd5ebb630cdf19bc4793272db36fc122ccc93170d192fab16e3aefba79b54d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc592E.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
C:\Users\Admin\Documents\Emissionsbreve.ini

Filesize
30B

MD5
9c41990255c107edff8d7ed715760746

SHA1
0adb5cd40454e53a34d2df3be971bea9b0e04452

SHA256
997506e1e3a395a57a4db940529da99b73d113bb10469d4e279bfbb8f67640b8

SHA512
d3cf4252752dd96e7fd855404f82ea57ad589f4d69b9df2bb93647657805f347ec65b97afa3fb0ec35e068b8deae31f863ed6c2e18bbe4146b03464301002018

Download Submit
memory/1108-273-0x0000000002130000-0x0000000006C8F000-memory.dmp

Filesize
75.4MB

Download
memory/1540-17-0x0000000077091000-0x00000000771B1000-memory.dmp

Filesize
1.1MB

Download
memory/1540-16-0x0000000077091000-0x00000000771B1000-memory.dmp

Filesize
1.1MB

Download
memory/1540-18-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/1556-200-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/1556-201-0x00000000009B0000-0x0000000001C04000-memory.dmp

Filesize
18.3MB

Download
memory/1556-170-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/2976-271-0x0000000002510000-0x000000000706F000-memory.dmp

Filesize
75.4MB

Download
memory/2976-267-0x00000000012B0000-0x0000000002504000-memory.dmp

Filesize
18.3MB

Download
memory/2976-251-0x0000000002510000-0x000000000706F000-memory.dmp

Filesize
75.4MB

Download
memory/3048-68-0x0000000001E60000-0x00000000069BF000-memory.dmp

Filesize
75.4MB

Download
memory/3048-100-0x0000000000C00000-0x0000000001E54000-memory.dmp

Filesize
18.3MB

Download
memory/3048-104-0x0000000001E60000-0x00000000069BF000-memory.dmp

Filesize
75.4MB

Download
memory/3324-136-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/3324-106-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/3368-229-0x0000000001E60000-0x00000000069BF000-memory.dmp

Filesize
75.4MB

Download
memory/3368-249-0x0000000001E60000-0x00000000069BF000-memory.dmp

Filesize
75.4MB

Download
memory/3488-168-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/3488-138-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/5332-21-0x0000000077091000-0x00000000771B1000-memory.dmp

Filesize
1.1MB

Download
memory/5332-64-0x0000000077091000-0x00000000771B1000-memory.dmp

Filesize
1.1MB

Download
memory/5332-19-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/5332-20-0x0000000077118000-0x0000000077119000-memory.dmp

Filesize
4KB

Download
memory/5332-60-0x00000000009B0000-0x0000000001C04000-memory.dmp

Filesize
18.3MB

Download
memory/5624-202-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download
memory/5624-227-0x0000000001C10000-0x000000000676F000-memory.dmp

Filesize
75.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads